A new worm, spread through instant messaging, has appeared that exploits the jpeg hole in Microsoft software.

Researchers at the SANS Institute's Internet Storm Center (ISC) have had two reports of users receiving messages on AOL's instant messenger service that directed them to websites containing malicious code, said Johannes Ullrich, chief technology officer at ISC. The messages stated: "Check out my profile, click GET INFO!"

When visiting the sites, the malicious code would attempt to install backdoor software on the user's PC that gives remote attackers total control over the machine. Additionally, messages containing a link to the site are sent out to all contacts on the victim's instant messenger contacts list, Ullrich said.

The malicious code is embedded in a jpeg image and exploits a security flaw in the way many Microsoft applications process such images. Microsoft identified and patched the flaw on 14 September, but users have complained that patching is onerous because several applications, including Office and Windows, require separate patches.

The worm appears to have failed so far however. There have been no further reports of users getting the messages and the two AOL Instant Messenger user profile Web pages that contained the harmful images are no longer available. However, Ullrich warned: "People should be worried about the next attempt."

The warning about attempts to exploit the latest Microsoft vulnerability via instant messaging follows warnings earlier this week about hackers seeding pornography Usenet news groups with malicious jpeg images. Users who unwittingly downloaded the images could also have backdoor software installed on their computers.