Wednesday, 11 January 2012

Malicious Youtube Extension, YXH-youtube_player.xpi and YXH-youtube_player.crx (Uninstall Guide)

Cyber criminals have spammed out malicious web browser extension attack posing as Youtube Player. Malicious web browser extensions called YXH-youtube_player.xpi and YXH-youtube_player.crx that infect Mozilla Firefox and Google Chrome are currently spreading through Facebook. Attackers rely mostly on social engineering attacks to spread their malicious extensions. This noxious campaign becomes a lot worse when infected users post links on websites that are using Facebook Comments Box. At least those links that lead to fake youtube websites are non-clickable.



The bit.ly link redirects users to a website impersonating youtube.com. The user is then prompted via a pop-up screen to click a notification and then install a Youtube HD Player.



Actually, you don't even need to click a notification, a download of malicious extension starts automatically.



It goes without saying that you shouldn't install add-ons from websites that you don't trust. Unfortunately, it seems that people are willing to do whatever it takes to watch videos that have caught their attention. After all, this is what social engineering attacks are all about.

YXH-youtube_player.crx (Youtube Player 6.1.8) extension installed in Google Chrome:



Extensions's files:



Let's take a look inside go.js to see how key functions are implemented.


As you can see, it calls another javascript file http://bbpeonf.info/script.js which at the moment we investigated this threat redirected us to 50.56.234.67/s.js.


The malicious browser extension YXH-youtube_player.xpi is currently detected by only 2 out of the 42 antivirus engines available on Virus Total. VT report YXH-youtube_player.xpi. ESET detects this extension as JS/TrojanClicker.Agent.NDA and Fortinet detects it as W32/Agent.FBH!phish.

As far as I know programs classified as JS.Trojan-Clicker are designed to increase the number of visits to certain sites in order to boost the number of hits for online ads, conduct Denial of Service attacks on a particular servers or simply redirect victims to infected websites. One way or another, you need to remove such malicious web browser extensions from your computer immediately. To remove JS/TrojanClicker.Agent.NDA from your computer, please follow the removal instructions below. If you have any questions, please leave a comment below. Good luck and be safe online!


Remove YXH-youtube_player.xpi in Mozilla Firefox:

1. Open Mozilla Firefox. Go to ToolsAdd-ons.



2. Select Extensions. Choose Youtube Player 6.1.8 and click Uninstall button.




Remove YXH-youtube_player.crx in Google Chrome:

1. Click on Customize and control Google Chrome icon and select ToolsExtensions.



2. Choose Youtube Player 6.1.8 and click Remove button.



Finally, scan your computer with anti-malware software.


Associated Youtube Player 6.1.8 files:
  • C:\Documents and Settings\[User]\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jsgfrtofdhsjrelrjmspsjrtdcrslsjsnrt\6.1.8_0
  • C:\Documents and Settings\[User]\Application Data\Mozilla\Firefox\Profiles\o45jfr56.default\extensions\admin@youtubeplayer.com
Share this information with your friends:

No comments:

Post a Comment