Worm attacks MSN Messenger

A worm that uses Microsoft's MSN Messenger application to exploit a browser glitch emerged late on Wednesday and spread rapidly, despite the existence of a patch covering the security hole, according to experts. The worm replicates itself by sending messages to other MSN Messenger users but doesn't otherwise damage PCs, experts said.

The virus may have originated with a demonstration originally created weeks ago to warn of an Internet Explorer exploit.

JS/Exploit-Messenger, as it is called, apparently emerged from several different locations at once on Wednesday. It exploits a hole in the Internet Explorer browser that Microsoft made public on 11 February along with a bug fix, just two days before the worms appeared.

"The main problem is getting people to apply the patches," said Jack Clark, product marketing manager with Network Associates. "There are a lot of desktops out there."

A worm is a type of virus that replicates itself across a network.

The hole allows Internet Explorer to automatically execute harmful JavaScript code embedded in a Web page. In this case, code appeared on several Web sites causing Explorer to create a Messenger missive and dispatch it to other contacts within Messenger. The note contains a link back to the Web page containing the code, with a message like "Hey go to (link) plz" or "Go to (link) NoW !!!".

Some of the pages containing the code were taken down quickly, according to virus companies. The worm appears to have spread at high speed, due to the instantaneous nature of Internet-based instant messaging, but does not appear to have infected large numbers of users. Sophos, a UK-based antivirus company, said none of its customers had reported being hit by the virus.

However, experts say that instant messaging -- which is now closely integrated with Internet Explorer -- and worms could turn out to be an explosive combination because of the speed with which instant messages can spread, much more quickly than an email message.

JavaScript code is not as damaging as, say, the Visual Basic script distributed by many notorious email worms. It is "sandboxed", meaning that the types of actions the scripts can carry out are strictly limited; for example, scripts can't carry out certain system-level actions unless they come from a vendor that is trusted and approved by the user.

But coupled with other exploits, JavaScript could be used to wreak havoc on a PC, experts warn. "JavaScript is a pretty powerful language," said Clark.

The JavaScript code used to create the worm may have come from a demonstration designed to warn of the dangers of the Internet Explorer bug as early as December, according to Sophos.

Researchers originally warned Microsoft of the IE hole in mid-December, according to Sophos support manager Peter Cooper. The researchers said their warning about the "same origin policy violation" had gone unacknowledged from Microsoft, so they created a demonstration of the exploit to encourage the company to take action, according to Cooper.

"It's possible the virus writer crafted the message him- or herself, but that the payload came from this demonstration," Cooper said.

Microsoft was not immediately available for comment.

Most antivirus companies have updated their virus definitions to recognise JS/Exploit-Messenger. The software can generally be updated online.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.