This malware will block your Facebook. Beware!
Malware continues to attack Facebook users. This time, the malware is able to spread through Facebook chat messages by sending a message along with a malicious links to the user’s friends.
The message looks like this:
hahahh Foto :D hxxp://apps.facebook.com/glombotke/photo.php?=1012323960
The link will lead to the malicious Facebook application page.
With the social engineering techniques, the malware author trying to deceive users by displaying a fake screen says that “Photo has been Moved.“.
If the “View Photo” is clicked, then it will download the malware file.
Once the users run the file, another window will be opened, and leads to the MySpace site (http://www.myspace.com/browse/people) or Google. In the background, when the user accessing his Facebook account, the malware will back into action by sending chat messages to the user’s friends.
Then, next if the user wants to login again, this malware will block the login page, and display a “scam survey” message with the link “Win an Apple product“. If the link is clicked then the user will be faced with a page that contain ads or affiliate links.
Another variant will redirect to the other scam survey page and shows a birthday message box when the user open the Facebook:
At the time the user return to the login page, he will find that his Facebook account has been suspended, with a message:
Your Account as been suspended!
The suspend will be released after 80 minutes
The suspend will be disabled only if you fill out one survey!
Please wait 80 minutes and tray again.
Actually, the account is not really suspended, it’s just a fake message created by the malware.
Emsisoft Anti-Malware detects this malware as Worm.Win32.Yimfoca!A2 or Trojan.Win32.Scar!IK. The Virus Total results are quite low at the moment, only 13 out of the 42 antivirus. On the another variant the results much lower, only 3/43.
So, always update your Emsisoft Anti-Malware, and always stay alert and be cautious with everything you receive.
"Undelivered package" spam still continues