MONTREAL — A virus has been infecting popular social networking sites MySpace and Facebook, tech experts said Thursday.

On Facebook, the virus is causing email messages to be sent to people on "friends" lists asking them to watch a video supposedly on YouTube. A user has to download what purports to be a plug-in to watch the video.

Tech expert Marc Saltzman said the plug-in is actually a virus.

The bogus email appears to come from a friend, he said.

"Even when you go to the fake site, it has their name and profile picture right on the site, so you really believe it," said Saltzman, a syndicated tech columnist who received several of these emails a few days ago.

"It's affecting what is, arguably, the most popular service among Canadian web surfers. To the best of my knowledge, we haven't really seen a Facebook virus of this magnitude yet," he said.

Security researcher Wayne Blackard said the virus is also infecting MySpace.

"I don't have any specific numbers, but I do expect that it will spread rapidly given the popularity of the social networks," said Blackard of Texas-based TippingPoint Technologies Inc.

On MySpace the virus is being spread when people contact friends.

Blackard said social networking sites are going to become increasingly vulnerable to cyber attacks due to their popularity.

"The implicit trust built into the social circle of friends and the willingness to share information with those in the circle will only the help the social engineering attacks to succeed," he said in an email.

It's difficult to identify the perpetrators, Blackard said, but the intent seems to be to deliver malware such as spam. Then additional malware can be installed to capture "many types of sensitive information," he added.

Facebook, a privately held company based in Palo Alto, Calif., wasn't immediately available for comment on Thursday.

Tech experts say computers must have up-to-date antivirus software to help prevent such attacks.

The virus has been noted by several websites, including Saltzman's blog on MSN, tech blog Pocket-lint and by anti-virus software companies Sophos, Symantec and Kaspersky.

Symantec, maker of Norton AntiVirus software, has identified the fake Flash player update as a trojan called gampass.

"What this trojan does is it tries to steal a person's online gaming credentials," said Marc Fossi, manager of development for security response at Symantec in Calgary.

"What they can do with these stolen gaming accounts is sell them online," he said. "It would steal your user name and password and send it back to whoever is sending this thing out."

Money can be made from selling the account information, which usually includes blocks of playing time, and it can be made from selling coveted characters from certain games, he added.

Fossi said this can happen if a user is trying to log on to a gaming account on his computer and wouldn't affect signing into an XBox Live account.

He also said the same caution that users apply to email attachments is needed on social networking sites.

"I think that people need to treat these social networking programs just like any other website ... Don't give that implicit trust to everything that you see there. You've really got to make sure that your computer is protected."