This year I began informally tracking Instant Messaging worms after a friend's PC became infected with one. The infection happened when the daughter clicked a link in one of her contact's 'away' messages. At the time, no antivirus software I tried was able to detect the threat and both Task Manager and Registry Editor had been rendered inaccessible by the infector.
After the ordeal was over, I searched the various antivirus vendor sites to see just what sort of info they had about IM threats. This was in January 2005 and I was able to find only 28 descriptions from 2001 through to the end of 2004. That's when I decided to track the threats, checking for new descriptions on the various antivirus vendor sites and logging it in an Excel spreadsheet. Here's some of what I've found.
Since January 1, 2005, at least 358 descriptions have been published for specific IM threats. I say 'at least' because this sort of tracking isn't very exact and I may have missed some. But any way you look at it, 358 is a huge increase over the 28 reports I could find for the entire four year period previous.
The single biggest threat has been from the Kelvir worm family, which targets MSN Messenger users. Check out the Kelvir Worm Overview for more details on the Kelvir IM worms.
According to the data I've collected, MSN Messenger users (in large part because of Kelvir) appear to be the most frequent targets of all Instant Messenger threats, with 319 IM worms to contend with. AOL Instant Messenger (AIM) users come in a distant second with 64 IM worms targeting them. Both ICQ and Yahoo! Messenger take third place with only 7 IM worms each targeting those chat clients.
But those are the stats for individual worms. Kelvir alone has 264 variants in its family. If we look only at the family numbers, AOL and MSN are almost tied, with 30 and 39 families targeting those chat clients respectively. Yahoo comes in 3rd, still with 7 threats, and ICQ drops to 4th place with only six families to contend with.
Kelvir, with its 264 variants, is also obviously the most prevalent of the IM worms. The second highest number of variants is the Opanki family at 25, followed by Bropia (19), Oscabot (16), Chode (9), and Supova (6). The remaining 48 families all sported 4 or less variants (with 38 having only a single variant per family).
Instant Messaging worms are not merely nuisance threats, either. Kelvir and crew are most commonly associated with some of the nastiest backdoor and remote access Trojans found on the 'Net today. Don't be complacent and don't get caught off guard. Be sure to check out my Tips for IM Safety to learn how to prevent these Instant Messenger threats.
