by ZDnet
A worm that uses Microsoft's MSN Messenger application to exploit a browser
glitch
emerged late on Wednesday and spread rapidly, despite the existence of a
patch covering
the security hole, according to experts. The worm replicates itself by
sending messages to
other MSN Messenger users but doesn't otherwise damage PCs, experts said.
The virus may have originated with a demonstration
originally created
weeks ago to warn of an Internet Explorer exploit.
JS/Exploit-Messenger or JS.Menger.Worm, as it is
called, apparently
emerged from several different locations at once on
Wednesday. It exploits
a hole in the Internet Explorer browser that Microsoft
made public on
February 11 along with a bug fix, just two days before
the worms
appeared.
"The main problem is getting people to apply the
patches," said Jack Clark,
product marketing manager with Network Associates.
"There are a lot of
desktops out there."
A worm is a type of virus that replicates itself
across a network.
The hole allows Internet Explorer to automatically
execute harmful
JavaScript code embedded in a Web page. In this case,
code appeared on
several Web sites causing Explorer to create a
Messenger missive and
dispatch it to other contacts within Messenger. The
note contains a link
back to the Web page containing the code, with a
message like "Hey go to
(link) plz" or "Go to (link) NoW !!!".
Some of the pages containing the code were taken down quickly, according
to virus companies. The
worm appears to have spread at high speed, due to the instantaneous nature
of Internet-based instant
messaging, but does not appear to have infected large numbers of users.
Sophos, a UK-based
antivirus company, said none of its customers had reported being hit by
the virus.
However, experts say that instant messaging--which is now closely
integrated with Internet
Explorer--and worms could turn out to be an explosive combination because
of the speed with which
instant messages can spread, much more quickly than an e-mail message.
JavaScript code is not as damaging as, say, the Visual Basic script
distributed by many notorious
e-mail worms. It is "sandboxed", meaning that the types of actions the
scripts can carry out are strictly
limited; for example, scripts can't carry out certain system-level actions
unless they come from a
vendor that is trusted and approved by the user.
But coupled with other exploits, JavaScript could be used to wreak havoc
on a PC, experts warn.
"JavaScript is a pretty powerful language," said Clark.
The JavaScript code used to create the worm may have come from a
demonstration designed to warn
of the dangers of the Internet Explorer bug as early as December,
according to Sophos.
Researchers originally warned Microsoft of the IE hole in mid-December,
according to Sophos
support manager Peter Cooper. The researchers said their warning about the
"same origin policy
violation" had gone unacknowledged from Microsoft, so they created a
demonstration of the exploit
to encourage the company to take action, according to Cooper.
"It's possible the virus writer crafted the message him- or herself, but
that the payload came from this
demonstration," Cooper said.
Microsoft was not immediately available for comment.
Most antivirus companies have updated their virus definitions to recognize
JS/Exploit-Messenger. The
software can generally be updated online.