Another worm is making the rounds on Twitter via the goo.gl URL shortening service, often directing users to fake anti-virus software.

Affected users might notice mysterious tweets that they did not write showing up on their feeds, many of which include goo.gl links that end with "m28sx.html."

"Although most affected Twitter users appear to be oblivious to what has occured, a few have noticed the messages, and suspected a security breach," Sophos's Graham Cluley wrote in a blog post.

If you click on these links, you are taken to a Web site that suggests your computer has been infected by a virus. The site encourages you to download what it says is anti-virus protection but is actually malicious code.

Del Harvey, head of Twitter's trust and safety efforts, tweeted yesterday that the company was "working to remove the malware links and reset passwords on compromised accounts."

When asked how this attack happened, Harvey said it "looks to be folks who got phished in the last round but whose accounts weren't used to attack others."

A similar goo.gl worm popped up on Twitter in early December.

Cluley said it "isn't yet clear is how the Twitter users found their accounts compromised in this way. The natural suspicion would be that their usernames and passwords have been stolen."

"It certainly would be a sensible precaution for users who have found their Twitter accounts unexpectedly posting goo.gl links to change their passwords immediately," Cluley suggested.

Kaspersky's Nicolas Brulez said in a blog post that the fake A/V "webpage is using exactly the same obfuscation techniques as a previous version (Security Tool), which is an implementation of RSA cryptography in JavaScript to obfuscate the page code."

Brulez posted more technical details on his blog.

Adam Wosotowsky, principal researcher at McAfee Labs, said the Twitter attack "is not new, and is fairly simple to execute."

"The attack is most likely a Trojan that began by phishing, possibly by a social media worm like Koobface," he said in a statement. "Shortened URL sites are not 100 percent malicious, so blocking the domain completely can cause false positives, which is something researchers try and avoid. Goo.gl is an example of a site associated with Google, so blocking the domain may be frowned upon by Google, allowing the spammer to continually abuse the site."

On Thursday, Trapster warned users that its username and password database has been compromised, affecting over 10 million users. Customers who used the same password for Trapster and other sites should change them immediately, the site said.

Harvey tweeted the Trapster warning on her feed, but said she was just doing so to make sure "that others know they should change their passwords if they belonged."

Editor's Note: This story was updated at 2pm Eastern with comment from McAfee.