A relatively new worm that Symantec named W32.Yimfoca presents a very interesting and never before seen modus operandi.
A variant of the worm spreads via Yahoo! Messenger and, once installed, downloads and installs W32.Yimfoca on the target system. Lately, it has been noticed that it specifically targets Facebook users by denying them access to their accounts if they don’t complete a survey.
Every time the user lands on the Facebook homepage, a window offering the surveys pops up:
Also, while the victim fills out the survey, a progress bar is shown accompanied by a “threat” – “You have only 3 minutes to fill out the selected survey or you will not have access to your account.”
Once you have completed a survey – which, by the way, earn the scammers up to $1 per survey – you can access your account. If you don’t do it within 3 minutes, the worm will not allow you to access the account while it’s running – and it resets even after a reboot of the infected computer.
It is also interesting to note that the worm blocks access to Facebook only if you use Internet Explorer. Using any other browser fails to trigger the worm and you can access your Facebook account without being sidetracked by annoying pop-ups.