The worm replicates itself by sending messages to other MSN Messenger users but doesn't otherwise damage PCs, experts said.
The virus may have originated with a demonstration originally created weeks ago to warn of an Internet Explorer exploit.
JS/Exploit-Messenger, as it is called, apparently emerged from several different locations at once on Wednesday. It exploits a hole in the Internet Explorer browser that Microsoft made public Feb. 11 along with a bug fix, just two days before the worms appeared.
"The main problem is getting people to apply the patches," said Jack Clark, product marketing manager with Network Associates. "There are a lot of desktops out there."
A worm is a type of virus that replicates itself across a network.
Some of the pages containing the code were taken down quickly, according to virus companies. The worm appears to have spread at high speed because of the instantaneous nature of Internet-based instant messaging, but it does not appear to have infected large numbers of users. Sophos, a UK-based antivirus company, said none of its customers had reported being hit by the virus.
Could wreak havoc
However, experts say that the use of instant messaging--which is now closely integrated with Internet Explorer--and worms could turn out to be an explosive combination because of the speed with which instant messages can spread, much more quickly than an e-mail message.
Researchers originally warned Microsoft of the IE hole in mid-December, according to Sophos support manager Peter Cooper. The researchers said their warning about the "same origin policy violation" had gone unacknowledged from Microsoft, so they created a demonstration of the exploit to encourage the company to take action, according to Cooper.
"It's possible the virus writer crafted the message him or herself, but that the payload came from this demonstration," Cooper said.
Microsoft was not immediately available for comment.
Most antivirus companies have updated their virus definitions to recognize JS/Exploit-Messenger. The software can generally be updated online.
Matthew Broersma reported from London.