The worm replicates itself by sending messages to other MSN Messenger users but doesn't otherwise damage PCs, experts said.
The virus may have originated with a demonstration originally created weeks ago to warn of an Internet Explorer exploit.
JS/Exploit-Messenger, as it is called, apparently emerged from several different locations at once on Wednesday. It exploits a hole in the Internet Explorer browser that Microsoft made public February 11 along with a bug fix, just two days before the worms appeared.
"The main problem is getting people to apply the patches," said Jack Clark, product marketing manager with Network Associates. "There are a lot of desktops out there."
A worm is a type of virus that replicates itself across a network.
The hole allows Internet Explorer to automatically execute harmful JavaScript code embedded in a Web page. In this case, code appeared on several Web sites causing Explorer to create a Messenger missive and dispatch it to other contacts within Messenger. The note contains a link back to the Web page containing the code, with a message such as "Hey go to (link) plz" or "Go to (link) NoW!!!"
Some of the pages containing the code were taken down quickly, according to virus companies. The worm appears to have spread at high speed because of the instantaneous nature of Internet-based instant messaging, but it does not appear to have infected large numbers of users. Sophos, a UK-based antivirus company, said none of its customers had reported being hit by the virus.
Could wreak havoc
However, experts say that the use of instant messaging--which is now closely integrated with Internet Explorer--and worms could turn out to be an explosive combination because of the speed with which instant messages can spread, much more quickly than an e-mail message.
JavaScript code is not as damaging as, for instance, the Visual Basic script distributed by many notorious e-mail worms. It is "sandboxed," meaning that the types of actions the scripts can carry out are strictly limited; for example, scripts can't carry out certain system-level actions unless they come from a company that is trusted and approved by the user.
But coupled with other exploits, JavaScript could be used to wreak havoc on a PC, experts warn. "JavaScript is a pretty powerful language," Clark said.
The JavaScript code used to create the worm may have come from a demonstration designed to warn of the dangers of the Internet Explorer bug as early as December, according to Sophos.
Researchers originally warned Microsoft of the IE hole in mid-December, according to Sophos support manager Peter Cooper. The researchers said their warning about the "same origin policy violation" had gone unacknowledged from Microsoft, so they created a demonstration of the exploit to encourage the company to take action, according to Cooper.
"It's possible the virus writer crafted the message him or herself, but that the payload came from this demonstration," Cooper said.
Microsoft was not immediately available for comment.
Most antivirus companies have updated their virus definitions to recognize JS/Exploit-Messenger. The software can generally be updated online.
