If you logged in to Facebook recently, you may have bombarded with fake video with title of “Candid Camera Prank [HQ]” and messages which said “this is without doubt the sexiest video ever! :P :P :P”, posted on wall or friends’ profiles. The post is accompanied by a photo which appears as a movie thumbnail picture of a short skirt wearing woman on an exercise bicycle, allowing teasing peep from the bottom.
However, upon clicking on the video, Facebook user will be required to allow the application the permission to access user’s public information, post to user’s wall, and access to user data any time. Once permission is granted, a “Thanks for the confirmation! You can continue to the video now” message is display. However, when user clicks on Continue button to view the video, user is prompted to update the out-of-date FLV player instead. User is then instructed to download and install a file named VLCsetup.exe, apparently a fake setup installer which attempts to fool user to believe that it’s installing VLC (VideoLAN) player, and instead will actually infect the computer with a malware or adware called Hotbar.
To make matter worse, the same video was posted to all Facebook friends in the name and avatar of the video watching user, spreading the malware to even wider group of Facebook users. The process repeats itself if the users click on the application to watch the video.
Here’s a video demo by WebSense on what’s happening when users click on the Sexiest Video Ever link.
According to Microsoft, Hotbar is an adware which displays a dynamic toolbar and targeted pop-up ads based on its monitoring of Web-browsing activity. The toolbar appears in Internet Explorer and Windows Explorer, and install graphical skins for Internet Explorer, Outlook, and Outlook Express. The toolbar contains buttons that can change depending on the current Web page and keywords on the page. Clicking a button on the toolbar may open an advertiser Web site or paid search site, and users may see pop-up ads. Hotbar may collect user-related information and may silently download and run updates or other code from its servers.
For Facebook users who just seeing the “Sexiest Video Ever” video on their walls, do not click on the links or allow the Facebook application to run, although Facebook has removed the rogue app, after allowing it to run rampantly for 12 hours.
For users who have installed the Hotbar, most anti-virus software can remove and clean the Hotbar, so just scan the computer with up-to-date anti-virus software. The Hotbar may add an entry in Add and Remove Programs or Programs and Features of Control Panel, which allows itself to be uninstalled. In addition, it’s also recommended to change the password for Facebook, and verify that the the rogue app no longer be granted any permissions on the Applications Settings page of Facebook (though the app has been removed).