IM Worm Combines Ransomware Behavior with Survey Scams

A new version of the Yimfoca IM worm blocks access to Facebook and asks victims to complete surveys before being allowed onto the website.

According to researchers from Symantec, when trying to open facebook.com in Internet Explorer, infected users are greeted by a pop-up which reads: "Your account is suspended. To make your account active you need to complete one of these surveys."

This behavior is very similar to that of scams commonly seen on the social networking website in recent months, however, it is much more aggressive.

Users are given three minutes to fill out one of the listed surveys otherwise they are blocked from trying again until the computer is restarted.

Most of these surveys try to subscribe victims to premium rate services billed on their mobile phones. This is done by leaving an obscure option checked on one of the pages.

Asking users to complete the task in a certain amount of time puts a lot of pressure on them and makes it more likely that they won't notice the subscription option and won't check out the barely visible disclaimer.

"The surveys are coming from cpaleads.com, whose promotional  video offers up to $1 for every survey completed, in effect making the bad guys really, really rich," notes Symantec security researcher Stephen Doherty who analyzed the threat.

Users who fail to complete the task the first time will see a message saying "You don not have access to your account because you do not complete any survey" when they try to access facebook.com again.

The message only goes away only after the computer is restarted, at which point they are offered to complete a survey again. It's worth noting that facebook.com remains accessible via other browsers like Mozilla Firefox or Google Chrome.

This worm spreads via multi-language spam sent through Google Talk, ICQ, MSN Messenger, Paltalk, Skype, Xfire or Yahoo! Messenger. It also infects USB drives.

"If you receive an unexpected link from a contact through an instant message you can always respond with a question about the link to verify it’s not malware spreading them," Mr. Doherty advises.