Security threats Toolkit

Kelvir IM worm spreading fast

Munir Kotadia ZDNet Australia

Published: 15 Apr 2005 10:35 BST

The latest Kelvir worm variant has started spreading over multiple instant-messaging applications. The latest attack has been successful, according to antivirus firm Kaspersky, because of its ability to manipulate PHP links.

Kelvir — first discovered in February — originally used MSN Messenger to spread. However, now with around a dozen variants, the malware has evolved to a state where it can use a range of IM applications and collect email addresses without having to infect that user.

Roel Schouwenberg, senior research engineer at Kaspersky, said in the company's Web log that the latest Kelvir variant adds the name of the potential victim's e-mail address to the link. Should the recipient click on the link and run the executable, they will also be infected by the worm. However, even if the user does not run the executable, their email address will still be sent to the worm's author for use in a future attack.

"When the link is clicked, the user is presented with a prompt to execute or save an MS-DOS application. By now, users will hopefully be suspicious and not run the application. But as soon as the user clicks the link, their email address is harvested. So even if the user doesn't run the MS-DOS application, the brains behind Kelvir get another address to spam," said Schouwenberg.

International media firm Reuters was forced to shut down its internal IM application this week after some of its users were infected by the Kelvir worm. The company decided to take its Reuters Messaging IM system completely offline after noticing an attack on its network.

Munir Kotadia reported from Sydney for ZDNet Australia. For more ZDNet Australia stories, click here.