It all starts with a harmless-looking email, which invites the soon-to-be victim to click on fake YouTube link. The scam has a good chance at working, since the mail appears to have been sent from the video-sharing website and the text is pretty standard for this sort of message (see image):

“From: "YouTube Service"
To : [removed]
Bcc : [removed]
Subject: Your friend sent you a video!
Date: Thu, 15 Nov 2007 08:58:31 +1000”

However, there are a few hints that such as email is anything but legitimate, as pointed out on the Symatec Security Response blog:

“the spoofed URL in this latest scam redirects visitors to dynamic domain names with seemingly unusual top level domains (TLDs), such as .li, .ch, and .es. […]

The domains that are used to impersonate the YouTube Web site are,, and These TLDs are not the usual .com or .net domains. The links will force the download of a malicious executable “install_flash_player.exe,” which in fact is a threat already detected by Symantec.”

So, if Hans sends you an email in the near future, please do your best and click on the delete button instead of clicking on the provided link.