What will you do upon receipt of a video link from a friend with message: “I told you I got an iPhone4 for free :))” like this:
Figure 1: Message from a friend
“Youtube.com” is a well-known and reliable domain. I bet that there will be a lot of users clicking this link to see the video. With one click, you have been tricked by bad guys to spread virus. This, in fact, is a relatively sophisticated trick of hackers. They replace the quotation mark “.” with “%2E” which the browser is still able to read. So, the link you click actually is not “youtube.com” but “youtube.com.checkconfig.info”.
This link points to a perfectly faked YouTube:
Figure 2: YouTube is faked in a sophisticated way
However, to see this video clip, you will be required to download and install Adobe Flash Player, which in fact, is a virus written in Autoit:
Figure 3: Fake Adobe Flash Player setup
This virus (detected by Bkav as W32.Faketube.Worm), on being loaded, it will:
- Automatically copies itself to folder %Startup% as “Adobe.exe” to run at Windows’ startup.
- Changes the default homepage of IE to promote the website: http://com[removed]osy.com/
- Automatically sends messages with malicious links via popular chat programs. Chat programs used by virus:
- Yahoo! Messenger
- Windows Live Messenger
- Windows Messenger
- Messages’ content:
- "is it cool :D”
- "see my new clip on Youtube =))"
- "I told you I got an iPhone4 for free :)) "
- "my new iPad is coming ;;) "
- These messages are sent with link to fake YouTube:
- Downloads other malwares and updates itself via the following links:
Nguyen Cong Cuong
Senior Malware Researcher
Sincere thanks to Nguyen Hong Quang for his malware analysis.