IM Worm Uses URL Encoding to Spam Misleading YouTube Links

Security researchers warn that a new instant messaging worm uses URL encoding to create misleading links that direct users to fake YouTube pages.

The spam messages are received from friends, who's computers have already been infected, and contain links of the form: http://youtube.com%2Ech[censored]config%2Einfo/?video=flash&vid=thr2503

For a non-technical user the link might appear to lead to youtube.com, but %2E is actually the hexadecimal representation for the "." [dot] character.

As a result, browsers will interpret the URL as http://youtube.com.ch[censored]config.info, where ch[censored]config.info is the destination domain and not youtube.com.

The landing site is a clone of a real YouTube page via a human rights campaign video about Burma (Myanmar), that features Tila Tequila.

However, a message displayed where the video should be reads: "You need Adobe Flash Player to watch this video. Download it from Adobe."

Social engineering tricks, that involve asking users to download missing codecs or Flash Player updates, are commonly used to spread malware, but this one is more believable than most.

Security researchers from Vietnamese antivirus vendor Bkis, who analyzed the new threat, report that the malicious file served from the page was written in AutoIt, a basic scripting language.

Its infection routine involves copying itself to the Startup folder and changing the home page in Internet Explorer in order to promote a particular website.

It also sends spam messages through several instant messaging applications, including Yahoo! Messenger, AIM, Windows Live Messenger and the XP Windows Messenger client.

The messages vary and in addition to the previously mentioned iPhone4 one, they can be: "is it cool :D", "see my new clip on YouTube =))" or "my new iPad is coming ;;)".

The worm, which Bkis calls W32.Faketube.Worm, downloads additional malware and update itself by contacting a remote URL, that points to an IP address from The Planet.