What will you do upon receipt of a video link from a friend with message: “I told you I got an iPhone4 for free :))” like this:

Figure 1: Message from a friend

“” is a well-known and reliable domain. I bet that there will be a lot of users clicking this link to see the video. With one click, you have been tricked by bad guys to spread virus. This, in fact, is a relatively sophisticated trick of hackers. They replace the quotation mark “.” with “%2E” which the browser is still able to read. So, the link you click actually is not “” but “”.

This link points to a perfectly faked YouTube:

Figure 2: YouTube is faked in a sophisticated way

However, to see this video clip, you will be required to download and install Adobe Flash Player, which in fact, is a virus written in Autoit:

Figure 3: Fake Adobe Flash Player setup

This virus (detected by Bkav as W32.Faketube.Worm), on being loaded, it will:

- Automatically copies itself to folder %Startup% as “Adobe.exe” to run at Windows’ startup.

- Changes the default homepage of IE to promote the website: http://com[removed]

- Automatically sends messages with malicious links via popular chat programs. Chat programs used by virus:

  • Yahoo! Messenger
  • AIM
  • Windows Live Messenger
  • Windows Messenger

- Messages’ content:

  • "is it cool :D”
  • "see my new clip on Youtube =))"
  • "I told you I got an iPhone4 for free :)) "
  • "my new iPad is coming ;;) "

- These messages are sent with link to fake YouTube:[removed]ckconfig%2Einfo/?video=flash&vid=thr2503

-  Downloads other malwares and updates itself via the following links:[removed]duc/update/cw2010.exe[removed]duc/update/CWcount.php


Nguyen Cong Cuong

Senior Malware Researcher


Sincere thanks to Nguyen Hong Quang for his malware analysis.

Leave a Reply

Name (required)
Mail (hidden) (required)
Text to Identify

Popup Date Time Portlet

Blogs Aggregator

Recent Posts

Blog Category Portlet


Store Portlet


Vote Baby Portlet