Effects
The main aim of FakeTube.A is to spread itself via email and affect as many computers as possible.
Infection strategy
FakeTube.A creates the file AVAST!CACHEAGENT.EXE, in the Windows system directory. This file is a copy of the worm.
FakeTube.A creates the following entry in the Windows Registry in order to register itself as a service and be automatically run whenever Windows is started:
- HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ avast!CacheAgent.exe
Means of transmission
FakeTube.A spreads via email in message with erotic content about celebrities like Britney Spears and Paris Hilton, whose names have been replaced with "Britney Spirs" and "Peris Hilton" respectively in these emails.
The message has the following characteristics:
- Subject: it can contain texts like the following:
Giga Video Movie Britney Spirs and 8 Beverage Andorran
Stimulating Image Britney Spirs and One Manifest South Korean - Message: it contains a link to an erotic video of any of these celebrities.
When users click the link to the video, a website imitating YouTube's is displayed, requiring users to download a newer version of Flash Player in order to see the video:
If users download this update, they will be actually downloading a copy of the worm to the computer.
Then, it sends a similar email message to all the contacts of the affected user.
Further Details
FakeTube.A is 25,088 bytes in size and is compressed with UPX.