Right at this very moment, a cross-site script has been spreading like wildfire in Orkut communities due to a flaw in Google's Orkut.
If you've read the following scrapbook entry in Orkut
2008 vem ai... que ele comece mto bem para vc
from one of your friends, you're infected. Simply viewing the message alone is sufficient for your Orkut account to be added a new community named "Infectados pelo Vírus do Orkut" and be an unwilling new host for the worm. At the time of this writing, the number of Orkut members in Infectados pelo Vírus do Orkut is already at the 400K mark.
According to a posting made by the author of this worm, Rodrigo Lacerda, this script is not malicious in any way, well except for making you an unwitting participant of his experiment. You can verify this for yourself as someone has posted the decoded javascript source of the script at http://paste.uni.cc/17840. The original is located at http://files.myopera.com/virusdoorkut/files/virus.js. Still, changing your password isn't terribly difficult.
From what I can grasp from scanning through the script, it appears to work this way. First, it'll add you to http://www.orkut.com/CommunityJoin.aspx?cmm=44001818. Next, it'll load and extract your entire friends list and send itself to them, thus completing the infection cycle. It is able to do this because of the fact that Orkut allows HTML to be inserted into scraps.
Apparently "2008 vem ai... que ele comece mto bem para vc" is roughly translated into 2008 is coming... that it begins is really good for you. It doesn't seem to look that way for Orkut engineers.
Edit: Btw, the excessive traffic generated by this script is partly due to the fact that it will continually attempt to contact Orkut's servers if it fails to do what it wants on the first try (force you into the above-mentioned community and load your friend's list).
Update: The original script location now returns an empty file. That should prevent any new infections from now on. Note that while many folks think that the flash file is somehow malicious, I'm quite sure that it isn't because http://www.orkut.com/LoL.aspx (source of the flash) doesn't even exist!
The embed code is simply the vector through which the malicious script is loaded. This is because it is crafted in such a way that your browser will parse and execute the javascript contained in the embed code. Hence the best way to mitigate this would be to use the NoScript extension rather than FlashBlock, since javascript is the real culprit here.
Btw, you should thank Rodrigo Lacerda for highlighting this vulnerability in such a manner.
Sources:
[Google's Orkut Hit with a Javascript (Flash?) Worm @ TechnoSocial]
[Orkut XSS @ Sounds From The Dungeon]