Kelvir-F worm attempts to infect instant messaging users, Sophos reports

March 30, 2005 Sophos Press Release

Experts at SophosLabs™, Sophos's global network of virus and spam analysis centres, have warned users to be on their guard against a worm which spreads via instant messaging, posing as a funny screensaver.

The W32/Kelvir-F worm spreads via Windows Messenger using a variety of different messages, sending itself to every person in the infected computer's contacts.

The messages sent by the worm are randomly chosen from the following list:

  • hey check this out I almost pee'd my pants <URL>
  • wow, i almost fell off the chair when i saw this <URL>
  • haha i just found the funniest drawing, check it out <URL>
  • wow, this drawing makes you feel like your on some type of drug <URL>
  • crazy, its like a virtual acidtrip or something, check it out <URL>

Clicking on the URL takes the user to a web page containing a file called funnyashell.scr. At the time of analysis the file available for download contained the dangerous W32/Rbot-ZU internet worm which can quickly infect unprotected unpatched computers connected to the internet, without requiring any user interaction.

"More people are becoming aware that they need to be suspicious of unsolicited email attachments, but many are still oblivious to the dangerous other ways in which viruses can attack their systems," said Graham Cluley, senior technology consultant for Sophos. "Users of instant messaging software must run up-to-date virus protection software on their desktop computers, as well as exercising caution about what they choose to run or click on."

"Furthermore, people need to get out of the bad habit of exchanging joke programs, funny screensavers and the like willy-nilly with each other," continued Cluley. "Virus writers will often disguise their malware as this kind of content in an attempt to lure people into clicking before they think."

Although there have only been a small reports of the worm, Sophos recommends computer users ensure their anti-virus software is up-to-date, and that companies protect themselves with a consolidated solution which can defend them from the threats of both spam and viruses.