Known as Koobface, the virus causes messages to appear in user accounts claiming to have come from a friend, with a link to a video and a title such as "You look so amazing funny on our new video" or "Nice dancing! Shouldn't you be ashamed?"
However, the video contained in the link takes the user to a bogus webpage where he or she is asked to update their software by downloading a file – where the malicious code is located. The next time the user logs on to their account the same email is sent to all their Facebook contacts.
The social networking site, which has 120m global users, has escaped for a long time without spamming problems and fraudulent outside interference, but by spreading fake emails via friends that have been explicitly approved by the user, Koobface is making inroads into the site.
According to Barry Schnitt, a spokesman for Facebook, a "very small percentage of users" had been affected by Koobface.
Facebook administrators are working to combat the virus by resetting victims' passwords and contacting them with advice to run anti-virus software.
Alexander Gostev, a security analyst at Kaspersky Lab, said the likelihood of a user clicking on a link of this kind is "very high" as they are trusting of messages left by 'friends'.
He added: "At the beginning of 2008 we predicted that we'd see an increase in cyber-criminals exploiting MySpace, Facebook and similar sites, and we're now seeing evidence of this."