A computer worm that spreads via instant messaging is being used to build an extensive "botnet" of remote-controlled PCs, a US security firm has warned.
Security experts at US company FaceTime identified the worm as "W32.pipeline" and warned that it spreads via AOL's instant messenger program.
The worm disguises a malicious executable program as a jpeg image, which is attached to an instant message that appears to come from someone on the recipient's AOL "buddy list".
Typically, the picture is accompanied by the message, "hey would it be ok if I upload this picture of you to my blog?" although another similar message may also be used.
If the recipient tries to open the image, the executable installs a program on their PC. This forwards the executable on to other contacts on their buddy list and also enables connections to several remote computers. It then tries to download another program that allows an outsider control the infected machine.
FaceTime's director of malware research Chris Boyd says the goal appears to be creating a huge network of remote-controlled machines, known as a "botnet". As of Thursday, Boyd estimates W32.pipeline had amassed botnet between 1000 and 2000 machines.
Botnets may be used to send out huge quantities of junk e-mail or attack business websites with an avalanche of data, in a so-called distributed "denial-of-service" attack, which may be linked to extortion.
Botnets can also be used to commit "click fraud", which involves ordering the zombie machines to repeatedly click internet advertisements, to generate money for a company that is paid per click.
"The ultimate goal of the W32.pipeline is to create a sophisticated botnet that can be used for a range of malicious purposes," FaceTime said in a security alert issued on Tuesday.
Boyd and other researchers posted details of the worm, including screenshots and "attack scenarios" to the company's blog http://blog.spywareguide.com.
They note that the botnet created using the worm, which is controlled via Internet Relay Chat (IRC) servers, is particularly sophisticated and uses a complicated "install chain" to schedule file uploads to infected machines.