A note sent through AOL's popular instant-messaging software directs victims to Web sites that host the dangerous graphics.
Special to CNET News.com
A virus that exploits the recently discovered JPEG vulnerability has been discovered spreading over America Online's instant-messaging program.
Experts at the SysAdmin Audit Network Security, or SANS, Institute said the virus is still in its infancy, with the institute having received only two reports of infection so far.
"It's been done in the past, but with HTML code instead of the JPEG," said Johannes Ullrich, chief technical officer for SANS' Internet Storm Center, the organization's online-security research unit. "It is a virus, but it didn't spread very far. We've only had two reports of it."
According to the Internet Storm Center, the victims received AOL Instant Messenger messages that directed them to Web sites that hosted the dangerous JPEG images.
The instant messages read: "Check out my profile, click GET INFO!" When visited, the Web site automatically sends malicious code embedded in the JPEG image to the computer, Ullrich said. Once infected with the code, the computer sends the same message to other contacts in the instant-messenger list.
The code also installs a back door that can give hackers remote control over the infected computer. Antivirus expert Mikko Hypponen of F-Secure warned on Wednesday that the JPEG exploit can also dodge antivirus technology. By default, antivirus software only scans for .exe files. And even if users change the settings on antivirus software, the JPEG file name extensions can be manipulated to avoid detection.
"We haven't seen any damage reports of this worm," Hypponen added on Thursday. "I've seen some discussion, but our best estimate is that it hasn't got very far."
Microsoft issued a patch for the vulnerability on Sept. 14 but was unavailable to comment on the virus.
Next week, Microsoft is launching a beta version of its instant-messaging product, MSN Messenger. The product will not be available to the public until it has been tested by a small group of users, the company said.
Dan Ilett of ZDNet UK reported from London.