Worm forces survey participation on Facebook users

Stephen Doherty, security researcher for Symantec, has posted a warning and analysis of a new Worm that spreads via instant messaging platforms. Once a system is infected, the Worm will download a variant of itself, which in turn prevents access to Facebook unless a survey is completed.

While Yahoo Instant Messenger is the messaging platform that gave rise to the Worm, dubbed Yimfoca by Symantec, it can target several others, including AOL and MSN. The Worm works by using infected systems to spam messages to the messenger application’s friends list.

The messages target 44 countries, including the U.S., the U.K., Canada, Mexico, Spain, Germany, France, Russia, and more. In addition to location targets, the messages that contain the malicious URL can appear in more than 20 languages. If the host language is unknown, the Worm will default to using English.

Example Messages:

mira esta fotografa :D [MALICIOUS LINK]
seen this?? :D [MALICIOUS LINK]
pogledaj to slike :D [MALICIOUS LINK]
guardare quest’immagine :D [MALICIOUS LINK]

If the system is infected, Yimfoca will download additional Malware, including a variant of its own code. This variant will force users to complete surveys before they are allowed access to Facebook.

The Worm uses an overlay message on the Facebook homepage, which explains that your account is suspended. “To make your account active you need to complete one of these surveys,” the message concludes.

“If you fail to fill out the survey you will be locked out while W32.Yimfoca is running. So long as W32.Yimfoca is running on your computer and you haven’t completed a survey you will be blocked from accessing facebook.com. Every time the malware restarts, its state is reset and you will be prompted to fill out a survey again to gain access (for example after a reboot),” Doherty explained.

If there is any good news to this Worm it could be that it is Internet Explorer centric, so other browsers will access Facebook with no problems. The down side is that most of the planet uses Internet Explorer to access the Web.

“If you receive an unexpected link from a contact through an instant message you can always respond with a question about the link to verify it’s not malware spreading them. If you receive a link promoting a deal that sounds too good to be true—whether on a social network, via email or via Instant message—then usually it is,” added Doherty.

Facebook surveys generate a good deal of money for scammers, and there have been countless examples of scams linked to them reported this year. Symantec says that Yimfoca is using surveys promoted by cpaleads.com, which pays up to $1.00 USD per completed survey.

Security vendor Sophos has been keeping track of these survey scams, you can read more from them here. Symantec’s research is here.

Leave a Comment


seven + 9 =


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>