Reuters safely restored its instant messaging service at 07:00 GMT on Friday, 15 April after temporarily suspending service on Thursday, to protect its customers.
Reuters decision to suspend the service came after a handful of customers reported they received instant messages, inviting them to visit a website which contained infected software.
Although this was not an attack on Reuters, the company decided to take precautionary measures to protect its customers by preventing Reuters Messaging (RM) from being used to propagate a variant of the Kelvir worm. While Reuters suspended its service voluntarily, some consumer IM networks choose not to do so, in similar cases.
Reuters and its partner, Microsoft, worked together to quickly isolate and identify the issue, implementing a solution to protect RM customers in less than 24 hours.
The majority of Reuters customers run proper compliance, firewall and anti-virus protection and were therefore not infected. Furthermore, the customers who were running the latest version of RM - 4.0 - were immune to the worm. Version 4.0, which is offered as a free upgrade, has been available since October 2004.
Reuters advises customers who suspect they have been infected to follow their standard anti-virus clean-up procedures – and certainly do so prior to attempting to upgrade to RM 4.0. Reuters in any case urges its customers to ensure their anti-virus software is continually updated. Our customers' IT departments should be aware that two of the most popular anti-virus vendors, McAfee and Trend, have downloadable software solutions to this worm.
When Reuters Messaging service was restored, those users that were infected may experience 'undeliverable' messages if identified worms attempt to infect their networks again. Customers experiencing such issues should report them through their normal channels.
We would like to take this opportunity to reassure our customers that this infection was not targeted at Reuters. The only Reuters system affected was Reuters Messaging. All other services have continued to operate as usual.
On Thursday, 14 April at 09:11 GMT, Reuters became aware of a new variant of a virus/worm (W32/Kelvir) that is attempting to spread by using messaging services.
The nature of the virus is such that it will send messages to the contacts in the user's RM contact list. This message included a URL link inviting users to visit an infected website, in an attempt to spread the virus.
Once the receiving user clicks on the URL link, the web browser would open to the infected website. The website will then attempt to download the virus executable to the end-user machine. A pop-up message will then appear, offering end-users the option to "Open" (i.e. run), "Save" or "Cancel" the download. If the end-user chooses to open (i.e. run) the virus then the end-user’s PC gets infected. Reuters recommends end-users to "Cancel" any download of executable programmes from suspicious web sites.
The Kelvir worm is not unique to Reuters Messaging, nor is the RM service the only network to experience such a worm. Worms can spread through public IM networks, internal IM systems and email systems.
Reuters and its technology partners are continuously working to better educate our customers on our products and services while providing them with the most advanced technology solutions.