The bit.ly link redirects users to a website impersonating youtube.com. The user is then prompted via a pop-up screen to click a notification and then install a Youtube HD Player.
Actually, you don't even need to click a notification, a download of malicious extension starts automatically.
It goes without saying that you shouldn't install add-ons from websites that you don't trust. Unfortunately, it seems that people are willing to do whatever it takes to watch videos that have caught their attention. After all, this is what social engineering attacks are all about.
YXH-youtube_player.crx (Youtube Player 6.1.8) extension installed in Google Chrome:
Let's take a look inside go.js to see how key functions are implemented.
The malicious browser extension YXH-youtube_player.xpi is currently detected by only 2 out of the 42 antivirus engines available on Virus Total. VT report YXH-youtube_player.xpi. ESET detects this extension as JS/TrojanClicker.Agent.NDA and Fortinet detects it as W32/Agent.FBH!phish.
As far as I know programs classified as JS.Trojan-Clicker are designed to increase the number of visits to certain sites in order to boost the number of hits for online ads, conduct Denial of Service attacks on a particular servers or simply redirect victims to infected websites. One way or another, you need to remove such malicious web browser extensions from your computer immediately. To remove JS/TrojanClicker.Agent.NDA from your computer, please follow the removal instructions below. If you have any questions, please leave a comment below. Good luck and be safe online!
Remove YXH-youtube_player.xpi in Mozilla Firefox:
1. Open Mozilla Firefox. Go to Tools → Add-ons.
2. Select Extensions. Choose Youtube Player 6.1.8 and click Uninstall button.
Remove YXH-youtube_player.crx in Google Chrome:
1. Click on Customize and control Google Chrome icon and select Tools → Extensions.
2. Choose Youtube Player 6.1.8 and click Remove button.
Finally, scan your computer with anti-malware software.
Associated Youtube Player 6.1.8 files:
- C:\Documents and Settings\[User]\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jsgfrtofdhsjrelrjmspsjrtdcrslsjsnrt\6.1.8_0
- C:\Documents and Settings\[User]\Application Data\Mozilla\Firefox\Profiles\o45jfr56.default\extensions\email@example.com