The latest Kelvir worm variant has started spreading over multiple instant-messaging applications. The latest attack has been successful, according to antivirus firm Kaspersky, because of its ability to manipulate PHP links.
Kelvir — first discovered in February — originally used MSN Messenger to spread. However, now with around a dozen variants, the malware has evolved to a state where it can use a range of IM applications and collect email addresses without having to infect that user.
Roel Schouwenberg, senior research engineer at Kaspersky, said in the company's Web log that the latest Kelvir variant adds the name of the potential victim's e-mail address to the link. Should the recipient click on the link and run the executable, they will also be infected by the worm. However, even if the user does not run the executable, their email address will still be sent to the worm's author for use in a future attack.
"When the link is clicked, the user is presented with a prompt to execute or save an MS-DOS application. By now, users will hopefully be suspicious and not run the application. But as soon as the user clicks the link, their email address is harvested. So even if the user doesn't run the MS-DOS application, the brains behind Kelvir get another address to spam," said Schouwenberg.
International media firm Reuters was forced to shut down its internal IM application this week after some of its users were infected by the Kelvir worm. The company decided to take its Reuters Messaging IM system completely offline after noticing an attack on its network.
Munir Kotadia reported from Sydney for ZDNet Australia. For more ZDNet Australia stories, click here.
Talkback
The simple way to avoid problems like this is to remove the active links from IM conversations. If someone really wants to visit a site, they can copy the link into their browser and go from there.This could reduce the number of users falling victim of this worm, simply because they're too lazy to copy (or retype) then link. The problem with having active links in IM communications is they can be accidentally clicked, especially if the recipient is not paying attention, even if they would recognise it for what it was and ignore it normally.
<%RPMiSO> Mwahaha, Improved kelvir is going to be released tonight.
hes releasing a new version tonight
hes in #bottalk irc.rizon.net
this is kind of funny actually. Virus version 1.0.0.0, creator The RPMiSO group, filesize 20kb, stored in C:\ named fr.exe. Runs about 10 times and bogs your ram.