Sans has write up about a recent flash worm.
"A few days ago a lot of media wrote about a Flash worm. I managed to
get hold of samples and analyzed it (thanks to Peter Kruse of CSIS for
the samples).
First of all, while the exploit code contains Flash, it is actually
just used as an attack (or, if we stretch it, infection) vector. The
worm itself is contained in JavaScript and is very similar to the
Twitter worm I analyzed back in April this year (see http://isc.sans.org/diary.html?storyid=6187). That is not surprising as both worms are attacking similar services.
The worm was first identified on a popular Chinese social web site (for schools, if I'm not wrong), Renren (http://www.renren.com).
This site is in many ways similar to Twitter or Facebook, but much more
media intensive and it allows users to share various information,
including pictures, movies etc.
Users of this site can share videos with each other (same as on
Facebook). Besides other media, users can also point to Flash movies
and this was enough for the attacker to exploit one small error in the
video player code used by the Renren site.
The URL to an SWF file posted by a user was processed by a function
called playswf(). Among other things this function creates an embedded
object (application/x-shockwave-flash) that points to the user supplied
SWF file." – SANS
Read more: http://isc.sans.org/diary.html?storyid=7015
