A worm that uses Microsoft's MSN Messenger application to exploit a browser glitch emerged late on Wednesday and spread rapidly, despite the existence of a patch covering the security hole, according to experts. The worm replicates itself by sending messages to other MSN Messenger users but doesn't otherwise damage PCs, experts said.
The virus may have originated with a demonstration originally created weeks ago to warn of an Internet Explorer exploit.
JS/Exploit-Messenger, as it is called, apparently emerged from several different locations at once on Wednesday. It exploits a hole in the Internet Explorer browser that Microsoft made public on 11 February along with a bug fix, just two days before the worms appeared.
"The main problem is getting people to apply the patches," said Jack Clark, product marketing manager with Network Associates. "There are a lot of desktops out there."
A worm is a type of virus that replicates itself across a network.
Some of the pages containing the code were taken down quickly, according to virus companies. The worm appears to have spread at high speed, due to the instantaneous nature of Internet-based instant messaging, but does not appear to have infected large numbers of users. Sophos, a UK-based antivirus company, said none of its customers had reported being hit by the virus.
However, experts say that instant messaging -- which is now closely integrated with Internet Explorer -- and worms could turn out to be an explosive combination because of the speed with which instant messages can spread, much more quickly than an email message.
Researchers originally warned Microsoft of the IE hole in mid-December, according to Sophos support manager Peter Cooper. The researchers said their warning about the "same origin policy violation" had gone unacknowledged from Microsoft, so they created a demonstration of the exploit to encourage the company to take action, according to Cooper.
"It's possible the virus writer crafted the message him- or herself, but that the payload came from this demonstration," Cooper said.
Microsoft was not immediately available for comment.
Most antivirus companies have updated their virus definitions to recognise JS/Exploit-Messenger. The software can generally be updated online.