Let's start with the fact that a virus is a rather complex thing and it usually consists of several modules. One of them is an exploit . Its main task is to exploit an already known vulnerability in order to gain the ability to execute arbitrary code (as an example).
If we skim through the list of vulnerabilities , we will see that many of them involve JS. Here is a graph taken from the same site :
It clearly shows the dynamics of vulnerabilities leading to remote code execution (red line). Hence the logical conclusion - js can be used as an exploit.
Some previous speakers incorrectly noted that the browser, like any other full-fledged application, has access to the file system (the very usual access when you can write, read, create non-system files) through the operating system API (for example: WinAPI for windows). Inside, it all looks like a system call - the program transfers control to the kernel level, after saying that you need to open / create / write such and such a file. So, we need an assembler (yes, don't be surprised) code to which our exploit will transfer control.
OK. Now let's move on to the exploit itself. There is such a technique - heap spraying : we take our useful (harmful) load and fill all the memory with it:

var buf = new Array();
// заполним 200МБ памяти
for(var i = 0;  i != 200; ++i) {
  buf[i] = nop + shellcode;
}

And, it is quite possible that we will overwrite certain areas (I will not go into details) and be able to execute our shellcode. And yes, as riot26 said - the browser will most likely crash after this ... but it doesn't matter to us anymore - the code will be injected and executed. Of course, this is banal and there are 100,500 more different options that no one will tell you about, but the idea is clear.
PS I take this opportunity to say hello to people in uniform!

Of course, no one needs a browser that will allow you to do something serious on his machine without asking the user. In fact, there is really no API in the browser, in order to, say, wool the file system. It is not needed there, the web application is what the web takes most of the data from the server, unlike the desktop application.
Another thing is that you can look for vulnerabilities in the browser and try to exploit them, but "on what" your virus will be written in this case is a matter of a specific vulnerability. If this is a remote code execution, then in js you will most likely write only an exploit directly, and the payload should already be in the native code of the victim platform.
Plain viruses can be written in languages ​​like C/C++/C# because they run as operating system processes and have access to either a native API or a platform API like .NET. And these APIs have enough means to access the system - you just need to force the victim to run the body of the virus and, possibly, give elevated privileges (although the same ransomware does not need elevated privileges at all - nothing prevents them from overwriting non-system (user) files and extorting money for decoder). There are no such tools in the browser. If they appear, then there will certainly be some kind of clear access control mechanism.
The maximum that can be done, as Itvanya said- fill up the js engine with rubbish (allocate memory, file a bunch of timers), with the control of consumed resources, browsers are not very good now.

it is possible to ddos ​​botnet on js

Crash the browser - the maximum that you can do with js

A virus in the classical sense of the word cannot be written, but a malicious program can be written.
On Windows, for example, JavaScript is built into the shell - Windows Script Host (in the form of JScript), scripts have access to the file system, registry, etc., i.e. a lot of things can be done. But the user himself must run the malicious js file for execution (and have administrative rights).
In the browser, as you have already been told, nothing special can be done, because. the browser is a sandbox and all JS actions there are heavily restricted for security reasons.

No, you are in the direction of c ++ / c # java, etc.
But it is worth recalling the punishment, all this is fixed and very quickly.
You can use 1000 proxies, but this will only increase the delay until they come to you.
On js, you can try to install it and run it.
But then again, if the user is adequate, nothing will come of you.

look towards chrome plugins, many articles on habr have been published about it.

As long as browser JavaScript doesn't have access to the file system, it can't do anything other than reload the browser locally. Another thing is the node.js technology, which has the necessary api in order to do everything that can be done on any other jap. The question, to be honest, was originally posed incorrectly.

heard about nodeJS? it has access to the file system, without any restrictions. in the browser you do not write a virus