The Reuters news agency found out the hard way that Kelvir is no IM buddy, after the prolific worm forced it to suspend services for a time Thursday. Antivirus firms said it's another example of IM-based attacks on the rise.
In the last 24 hours, Cupertino, Calif.-based Symantec has tracked five new variantsof the worm: Kelvir-W, Kelvir-V, Kelvir-U, Kelvir-T and Kelvir-S. The Kelvir family uses Microsoft's MSN Messenger program to spread and drops variants of the Spybot worm on machines it infects.
Spybot opens backdoors that can be used for future exploits, including denial-of-service attacks. Essentially, Russian-based Kaspersky Lab said on its Web site, bot programs like this will turn infected machines into zombies. Kaspersky Lab said it has also been tracking Kelvir variants, and warned that attacks could get a lot worse in the future.
"Since the beginning of the year we've seen an upsurge in IM worms in incoming traffic," Aleks Gostev, Kaspersky's senior virus analyst, said in a statement. "So far most seem to be written by script kiddies, but we believe that professional virus writers will be quick to exploit this new method… either to create new botnets or to harvest confidential data."
Reuters got a taste of how disruptive Kelvir can be. The agency said it had to temporarily shut down a privately controlled instant messaging service after the worm affected some of the network's users. It was first detected on the Reuters network early Thursday, and the company suspended the service five hours later, a spokesman for the London-based company said in a statement.
"In order to protect users and to prevent Reuters from being used to propagate this worm, Reuters has temporarily suspended Reuters Messaging services," said spokesman Steve Naru. He said Reuters offers the messaging service to financial clients along with its data and news services. There are more than 60,000 active users, he said.
A recent report from a consortium of antivirus firms and IM providers illustrated how much the IM threat is growing. The report, from the IMlogic Threat Center, said IM/P2P exploits in the first three months of 2005 surged more than 270% over the same period last year. The report said more than 50% of incidents logged in the first quarter involved enterprises and small businesses using such IM applications as AOL Instant Messenger, MSN Messenger, Windows Messenger and Yahoo Messenger.
IMlogic launched the threat center last December in partnership with antivirus firms Symantec, Sybari, and McAfee, and IM providers America Online, Microsoft and Yahoo. It tracks and catalogues malicious exploits against IM and P2P programs, offering network managers up-to-date notification of threats and advice to mitigate them.