Kelvir -- first discovered in February -- originally used MSN Messenger to spread. However, now with around a dozen variants, the malware has evolved to a state where it can use a range of IM applications and collect e-mail addresses without having to infect that user.
Roel Schouwenberg, senior research engineer at Kaspersky, said in the company's Web log that the latest Kelvir variant adds the name of the potential victim's e-mail address to the link. Should the recipient click on the link and run the executable, they will also be infected by the worm. However, even if the user does not run the executable, their e-mail address will still be sent to the worm's author for use in a future attack.
"When the link is clicked, the user is presented with a prompt to execute or save an MS-DOS application. By now, users will hopefully be suspicious and not run the application. But as soon as the user clicks the link, their e-mail address is harvested. So even if the user doesn't run the MS-DOS application, the brains behind Kelvir get another address to spam," said Schouwenberg.
International media firm Reuters was forced to shut down its internal IM application this week after some of its users were infected by the Kelvir worm. The company decided to take its Reuters Messaging IM system completely offline after noticing an attack on its network.