The infection appears to take advantage of three separate flaws with Microsoft Corp. products. Microsoft said software updates to fix two of them had been released in April, but the third flaw was newly discovered and had no patch to fix it yet.
Experts said the infection, detected by Microsoft on Thursday, was unusually broad but wasn't substantially interfering with Internet traffic.
Security experts at Microsoft and elsewhere worked Friday to pin down how the infection spreads across Web sites. It appears to target at least one recent version of Microsoft software for operating Web sites — called Internet Information Server.
The infection makes subtle changes to the Web site so visitors get a piece of code that's designed to retrieve from a Russian Web site software that records a person's keystrokes and can send data back, experts say. Such software "Trojan horses" are routinely used to fish for credit card numbers, bank accounts, passwords and the like.
Now that the code is out, other hackers are likely to adapt it to distribute software for spamming and for launching broad Internet attacks against popular Web sites, said Alfred Huger, senior director of engineering at security company Symantec Corp.
"Users should be aware that any Web site, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code," the U.S. Computer Emergency Readiness Team warned in an Internet alert.
Stephen Toulouse, a security program manager at Microsoft, recommended that computer owners obtain the latest security updates for Microsoft products and their anti-virus and firewall programs.
Because one flaw has yet to be fixed, he said, users should also turn up security settings on Microsoft's Internet Explorer browsers to the highest levels.
The infection does not affect Macintosh versions of Internet Explorer.
PC World reported that a Finnish Internet security firm has linked the virus to a Russian hacker outfit called Korgo.
Most observers say the virus is not causing any major disruptions.
"While this is significant, it has no impact on the operation of the Internet," said Marcus Sachs, who helps run the industry's Internet Storm Center in Bethesda, Md.
Internet fraud, particularly as it relates to the misuse of personal information, is a growing concern for law enforcement.
The Federal Trade Commission reported in January that reports of Internet-related fraud now account for more than half the consumer complaints filed there.
Internet-related fraud was the subject of 55 percent of the more than half-million complaints filed in 2003, up from 45 percent a year earlier, the FTC said. The median loss for victims of Internet-related fraud was $195.
A federal crackdown last year on a wide range of Internet fraud schemes costing victims an estimated $100 million has resulted in the arrest or conviction of 125 individuals.