Kelvir worm
Symantec Corp.
This may look like an innocent IM message, but it's really the first part of a Trojan horse trap set by the Kelvir worm.
By Bob Sullivan Technology correspondent
updated 3/7/2005 9:09:19 PM ET 2005-03-08T02:09:19

A spate of instant message worms released over the last few days has some antivirus researchers concerned: With e-mail viruses less effective than before, virus writers, they say, are now turning their attention to the popular — and not very secure — chat tools used by millions.

A worm named Kelvir made the rounds on Sunday, with several variants appearing almost immediately.

Kelvir is tricky, pasting a simple message in Microsoft's MSN Messenger chat tool, such as "lol! See it! You'll like it!" The worm then displays a link to a Web page infected with a Trojan horse. Users who click on the link are infected with the worm. Not only do they then send copies of the worm to fellow chatters, a Trojan horse is also installed on their systems.

The ploy is effective because it can appear in mid-conversation with another chatter, convincingly suggesting it's really from someone you are talking to. 

"This is a fairly big deal," said John Sakoda, the chief technology officer at IMLogic, an instant message security firm. He said more than 10 percent of his firm's 400 clients reported seeing a variant of Kelvir in recent days.

None of the variants will cause a serious outbreak, antivirus firms say, because they involve two steps to infect users — they must see the file name, and then click on a Web site link.  Once that Web site is removed from the Internet, the worm no longer operates, and all the Kelvir Web pages have been pulled down.

Still, researchers are worried that virus writers have taken a fancy to IM tools, and expect to see many more worms targeting the tools in the coming months. Already, there have been as many IM worms this year alone as there have been in all the years previous, said antivirus guide Mary Landesman.

"The underlying point is instant message worms are gaining a lot of speed. There is a lot of activity right now," said Craig Schmugar, a virus researcher at "There is definitely a shift in the attention of at least some virus authors."

Instant messaging is continuing its march toward ubiquity in the workplace -- and most often, employee use public tools from Microsoft, Yahoo, and America Online.

(MSNBC is a Microsoft - NBC joint venture.)

According to a recent study by the Ridicati Group, by 2008, 88 percent of workplace users will rely on a such a public network. That raises security concerns, because even interoffice messages are sent over the Internet, outside the control of network administrators. Interoffice e-mail is easier to contain.

"We're seeing people wake up to the fact that IM is everywhere, and virus writers and worm writers are waking up to the fact that it's a powerful means to propagate malicious code," Sakoda said.

So far, IM worms haven't risen to the level of a notorious virus like Code Red or LoveBug. But researchers say it's certainly possible -- particularly if virus writers find a way to make the program spread on its own, without requiring a recipient to click on a link. Symantec Corp. has done simulations suggesting entire corporations could become infected in less than a minute.

"In our annual Internet security threat report, we predicted this would be taking place, a rise in IM-based threats," said Symantec's Alfred Huger.

So far, Landesman said, Microsoft's MSN Messenger has been the most tempting target for virus writers. Of the 50 or so IM worms she's counted since 2001, about 40 have targeted Microsoft products. The others were evenly split between America Online's AIM and Yahoo Messenger. Sakoda said about two-thirds of the worms he's seen target Microsoft's tools. (MSN Messenger is targeted at home users; Windows Messenger at business users.)

"It just means that MSN and Windows Messenger are popular internationally, and most of these worms surface overseas first," Sakoda said.

For now, consumers who use the popular tools should know they are facing increased risks, Landesman said. The best thing to do is be extremely skeptical when clicking on links sent over instant message tools, even if they appear to be from people you know.

"You have to assume that links in IM are bad until proven otherwise,"  she said.

© 2013 Reprints


Discussion comments


Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments