So far, there are two versions of the link (http://goo.gl/R7f68 and http://goo.gl/od0az), but there are likely to be more. The worm piqued the curiosity of many users, since the message containing the link contains nothing else - no explanation, no hint:
The Next Web used a tool that lets users check where the shortened link will take them before they click on it, and it turns out that the destination is http://artcan-developpement.fr/tw.html, a legitimate but compromised site of a French furniture company.
"The bit after the slash of course redirects to various exe or php files on several other domains (e.g. detecproforyou.us/twit.php or robsearch.info/tre/sena.exe) then results in a 404 for that file. But at the source for that page and it’s empty," said a commenter to the site.
Whether these sites are meant to serve malware is not yet clear, but the real issue here is that they might, so Twitter needs to find out soon how this worm spreads and stop it in order to prevent further mischief.
“We’re aware and have sent out password resets for affected users. We’ll monitor the situation in case of further iterations,” stated Twitter representative Troy Holden to TechCrunch in the meantime.
A third instance of usage of a goo.gl shortened link has been also spotted, and it's not yet clear if there is any connection with the worm. This time, the message contains more than just a link - it advertises a service to track "who follows and unfollows you".
In any case, for the time being, it's best to avoid clicking on these and similar links - especially if you're checking your account via your cell phone.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.