Some interesting commentary over at Kaspersky about the effectiveness of IM worms:
This effectiveness worked in several ways. By uploading to several sites the attackers still had one or more places left to turn to when measures were taken to take a site down.
Additionally, different messages were used to convince the recipient to click on the link. Among those messages was a one with a link to a .wmv file on a popular humor site. The link, of course, was fake, and it led to the malware.
Faking the link is done though some basic HTML code, and, in my opinion, this is yet another reason for not having an HTML parser in your IM client.
I agree with the general sentiment in this case, but I am not sure not having HTML at all is the right answer here. Markup is useful in communications, whether it's HTML or not. This is why my stance on HTML in e-mail/instant-messaging has always been a mixed bag. It's currently a nightmarish window to many security holes, and it's often abused by spammers, making it an effective way to decide if a message is spam or not.
But often the security problems with HTML are because of poorly written software that allows a user to infect themselves with malware when they think they are just viewing a movie. This is not a problem intrinsic to the idea of allowing users to use markup in general, which as far as I am concerned is an unavoidable necessity as the growth of e-mail and instant messaging continues.