"Yuo Tube" clone, Flash installer a trojan?

Hi, wondering if you can check this devious file out?
I got a message on facebook today from a friend (assuming they sent it of course and they haven’t been hacked etc.) - with a link pretending to be a funny video.
Here’s a link to the page: (change hxxp to http in the address bar)
hxxp://www.checkflyer.com/s5qILFyVYR/?schk=F0F2EFE6E9ECE5AEE1EBAEE6E1E3E5E2EFEFEBAEE3EFEDAFF6B2B2B3AFB1B7B5B4AFB7B5AFF1B6B9B3B5B3B9B4B9B2DFB3B8B8B7AEEAF0E7&keat=C4E5EEE9F3E5A0D7E1F2E4A0D2E5A0C3E1F2F2
The page is made to look like a YouTube page, down to the graphics and comments… except the logo is missing, it says Yuo Tube, and the page is “© 2008 ali baba & 40 , LLC”.
Every single link on there takes you to the installer flash_update.exe, which is a very small file with no authouring info (which would verify that it’s from macromedia/adobe).

Avast! antivirus han’t found anything wrong with it, but I haven’t run it for all the reasons stated above.

I’m wondering if it’s just a joke or if it could actually a dangerous file? :-\

Thanks in advance!

ps. I have copies of the page and file if the link mysteriously vanishes

Please modify your post and change the http to hXXp this will break the link to avoid accidental exposure to a suspect location.

The Ali Baba rings a bell (appears in the page title at the top of the window) if you do a forum search as this has cropped up before, but a different url, this was for a hacked site rather than what appears like a phishing expedition.

Results from VirusTotal:

Antivirus Version Last Update Result
AhnLab-V3 2008.9.6.0 2008.09.08 -
AntiVir 7.8.1.28 2008.09.08 TR/Downloader.Gen
Authentium 5.1.0.4 2008.09.07 W32/Threat-HLLIP-based!Maximus
Avast 4.8.1195.0 2008.09.07 -
AVG 8.0.0.161 2008.09.08 Worm/Generic.JUX
BitDefender 7.2 2008.09.08 -
CAT-QuickHeal 9.50 2008.09.06 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.09.08 -
DrWeb 4.44.0.09170 2008.09.08 -
eSafe 7.0.17.0 2008.09.07 Suspicious File
eTrust-Vet 31.6.6077 2008.09.08 Win32/Koobface!generic
Ewido 4.0 2008.09.08 -
F-Prot 4.4.4.56 2008.09.07 W32/Threat-HLLIP-based!Maximus
F-Secure 8.0.14332.0 2008.09.08 Net-Worm.Win32.Koobface.ah
Fortinet 3.112.0.0 2008.09.08 PossibleThreat
GData 19 2008.09.08 Net-Worm.Win32.Koobface.ah
Ikarus T3.1.1.34.0 2008.09.08 Trojan-Clicker.Win32.Small.BG
K7AntiVirus 7.10.446 2008.09.08 -
Kaspersky 7.0.0.125 2008.09.08 Net-Worm.Win32.Koobface.ah
McAfee 5378 2008.09.05 -
Microsoft 1.3903 2008.09.08 Worm:Win32/Koobface.A
NOD32v2 3426 2008.09.08 probably a variant of Win32/Koobface
Norman 5.80.02 2008.09.08 -
Panda 9.0.0.4 2008.09.07 Suspicious file
PCTools 4.4.2.0 2008.09.08 -
Prevx1 V2 2008.09.08 Suspicious
Rising 20.61.02.00 2008.09.08 -
Sophos 4.33.0 2008.09.08 Troj/Koobfa-A
Sunbelt 3.1.1616.1 2008.09.07 -
Symantec 10 2008.09.08 -
TheHacker 6.3.0.8.075 2008.09.06 -
TrendMicro 8.700.0.1004 2008.09.08 PAK_Generic.001
VBA32 3.12.8.5 2008.09.08 -
ViRobot 2008.9.8.1367 2008.09.08 -
VirusBuster 4.5.11.0 2008.09.08 -
Webwasher-Gateway 6.6.2 2008.09.08 Trojan.Downloader.Gen

Hi, thanks David have changed above post to hxxp, can’t seem to find anything searching for ali baba apart from the alibabar toolbar, which i suppose it could be related to (thinking it’s identity theft after all)…
Have got a message back from my friend, she didn’t send it and has had the same message from other friends that didn’t send it, so i’m going to assume that the file is a phishy spyware trojan type thing.

Incidentally, i found another very similar page from looking up “ali baba & 40 , LLC” in google.
I assume it’s the same hack you’ve mentioned. Here’s google’s cached copy (again i’ve replaced the http with hxxp):
hxxp://64.233.183.104/search?q=cache:Yu7k0zW0aiQJ:www.sbestfood.com/+%22ali+baba+%26+40+,+LLC%22&hl=en&ct=clnk&cd=1&gl=uk&client=firefox-a

They appear to have replaced the name and photo with her facebook name/direct link to her pic.

Ahh and thanks to FreewheelinFrank ;D that’s the confirmation i needed… do hate these nasty things. I’ll use that virustotal in future to double check these things.

So as avast can’t find it yet, has anyone got any idea how to remove this from my friend’s and her friends computers?

Hi malware fighters,

Look here for an article on this particular malware:

http://www.pcworld.com/businesscenter/article/149559/malicious_hackers_use_facebook_wall_for_malware_attack.html

For characteristics see: http://vil.nai.com/vil/content/v_148955.htm

polonus

Please see the following topic:

http://forum.avast.com/index.php?topic=37795.0

Until this day I didn’t get any answer to my question: is avast! detect this virus?

and it’s very disappointing that it still don’t…

royshaa
thanks for bringing the U-tube thing to my attention last month
you were one of the first to spot this bad thing

I do not know if AVAST targets- you would think they would by now
but I am not going to test

Anyone?

good reason to run secunia software inspector after tomorrows MS Tuesday updates