Mike Brock <brockm@...>
As most of you probably know, Yahoo has a problem which is allowing a worm
to send messages out to various Yahoo Groups. The following is a quote from
the website "The Register":
Yahoo!'s webmail service has been discovered on the net.
The JS-Yamanner worm spreads when a Windows user accesses Yahoo! Mail to
open an email sent by the worm. The attack works because of a vulnerability
in Yahoo! Mail that enables scripts embedded within HTML emails to be run
within a user's browser instead of being blocked.
Once executed, the worm forwards itself to an infected users' contacts on
Yahoo! Mail. It also harvests these address and sends them to a remote
internet server. Only contacts with an email address of either @yahoo.com or
@yahoogroups.com are hit by this behaviour.
Infected emails commonly have the subject line "New Graphic Site" and are
spoofed so as to appear from "av3@...". Users who open infected emails
will be redirected to a webpage at www.av3.net/index.htm.
Symantec Security Response senior manager Kevin Hogan said: "Unlike its
predecessors, which would require the user to open an attachment in order to
launch and propagate, JS-Yamanner makes use of a security hole in the Yahoo!
web mail program in order to spread to other Yahoo! users. Yahoo! is a
popular email tool, and although normally closed to such threats, the
exploitation of this vulnerability provides access to a significant number
of internet users.
"As there is no patch at present, users are recommended to update virus
definitions and firewall signatures and to block any emails sent from
At this time I have placed those members whose address appears to be
associated with the messages in moderation. I should emphasize that these
members have committed no wrong and they will be unmoderated when Yahoo
fixes their problem. I suggest that all members institute a message rule
which will automatically delete messages with "New Graphic Site" in the
subject line. Unfortunately, Yahoo apparently has no feature which would
allow me to identify such messages at the Yahoogroups site. Since I am not
entirely clear as to the process being used by this worm, that is the
current extent of my actions. Further moves may be required.
[Non-text portions of this message have been removed]