IM malware evolved from basic IRCBot installers such as Bropia and Kelvir, to Prex which uses links to separate worm and bot, to social-engineered "chatboxes", which incorporate messages to fool users into thinking Paris is offering her explicit personal imagery, or that the FBI will confiscate your PC unless you visit a Web site.

These may lure more users into responses that lead to infection, but such infections are inevitably terminated due to high media attention which result in the quick release of fixes.

Schouwenberg says the use of .php dynamic content to steal e-mail addresses led to a leap in IM hacking.

"The most common scenario in the case of IM worms is that the e-mail address will be stored in a database for spamming purposes, then an executable will be presented to the user for download," he said.

He said new IM malware, such as IRCBot.lo, controls botnet size unlike earlier Kelvir variants that spread uncontrollably.