Update: March 3, 2009. A new variant of Koobface now appearing at Facebook involves a message that appears to be from a friend and that contains a link to a video. When the user clicks the link, he or she is advised that Adobe Flash is out of date and needs to be updated. Clicking the link actually installs the Koobface.az virus on the user's PC. Once lodged there, it examines the stored cookies on the machine from those belonging to Facebook and several other social websites, retrieving passwords and login names as it goes. For each compromised account, it repeats it malicious message for each registered friend.
A related scam involves a fake message claiming that the user has been turned in for violation of the terms of service.
Update: December 1, 2009. Bredolab is a Facebook scam consisting of phoney password reset emails. The emails appear to come from "firstname.lastname@example.org" and reference an attachment. The attachment is a zip file that contains one or more .exe files that install the malware. This then makes the PC part of the Bredolab botnet network.
In late November a potentially embarrassing, but not otherwise malignant malware appeared on Facebook targeting wall images. When a user clicks on a risque image, the malware moves the image to the user's own page. Typically, the image would display something similar to "Want 2 see something hot? Click da button, baby." When the same image and come-on appears on the other page, it appears as if the owner had set it himself. To avoid this problem, simply don't "click da button."
What's noteworthy, and what we'll touch on again in the conclusion, is that it still takes a deliberate act by the user to become vulnerable to these types of scams. Treat everything you get from a "friend" with suspicion, even to the point of contacting them off-channel to see if they really sent you the message.