At 8:45 a.m EST today, this Twitter search shows thousands of Twitter messages continuing to spread the worm.
Kaspersky Lab malware researcher Nicolas Brulez (see important disclosure) said the original "goo.gl" links in the Twitter messages are redirecting users to different domains with a “m28sx.html” page. That page then redirects to a static domain with a Ukrainian top level address.
As if it was not enough, this domain redirects the user to another IP address which has been linked in the past to fake anti-virus distributions. "This IP address will then do the final redirection job, which leads to the actual Fake AV site," Brulez explained.
Once a user's browser session is redirected to the malicious site, a warning message claims the computer is running suspicious applications and the user is encouraged to run a scan. As usual, the result is that the machine is infected with malicious threats and the scam is to trick the user into downloading a fake disinfection tool.