The Kelvir worm, first reported by SC in early March, targets Microsoft's Instant Messenger (IM) and forced Reuters to temporarily shut down its own system on Thursday.
Kelvir's rise has been marked by a huge amount of variants in a small space of time. Recently, Kelvir has evolved to grab email addresses even if its executable file isn't executed.
"When a link [that appears in IM] is clicked, the user is presented with a prompt to execute or save an MS-DOS application. By now, users will hopefully be suspicious and not run the application," said Roel Schouwenberg, senior research engineer at anti-virus firm Kaspersky on the company's weblog. "But as soon as the user clicks the link, their email address is harvested. So even if the user doesn't run the MS-DOS application, the brains behind Kelvir get another address to spam."
The success of Kelvir was best highlighted by the day-long absence of Reuters internal messaging system. A precaution that a Reuters spokesman said was to ensure the attack remained under control.
Last month SC reported a surge in IM worms had sparked a new criminal turf war, resulting in a number of new virus variants.