Re: ADMIN: Yahoo Worm Problem

Thomas M. Olsen <tmolsen@...>

As Mike has noted below, this is the real thing according to Snopes:
Urban Legends. So be forewarned and ready to deal with it! I found
three suspicious emails with New Graphic Site in the subject line.
Fortunately, I am not a Yahoo subscriber and the University of Delaware
has a way to access your email with out going through the home browser.
It is called "WebMail" and is accessed through the net itself. I was
able to delete these directly on the UD server with out opening them.

Tom Olsen
7 Boundary Road, West Branch
Newark, Delaware, 19711-7479
(302) 738-4292

Here is the web page from Snopes:

New Graphic Site

Virus: New Graphic Site (aka JS.Yamanner@m)

Status: Real.

Example: [Collected via e-mail, 2006]

There is an email going around with the subject "New Graphics Site". It
is spreading fast as about 100 people I know have gotten it just today.
If you get an email with that in the subject line delete it quickly and
DO NOT OPEN IT! This is a new virus I have been told.

Mike Brock wrote:

As most of you probably know, Yahoo has a problem which is allowing a worm
to send messages out to various Yahoo Groups. The following is a quote from
the website "The Register":

A JavaScript worm that takes advantage of an unpatched vulnerability in
Yahoo!'s webmail service has been discovered on the net.

The JS-Yamanner worm spreads when a Windows user accesses Yahoo! Mail to
open an email sent by the worm. The attack works because of a vulnerability
in Yahoo! Mail that enables scripts embedded within HTML emails to be run
within a user's browser instead of being blocked.

Once executed, the worm forwards itself to an infected users' contacts on
Yahoo! Mail. It also harvests these address and sends them to a remote
internet server. Only contacts with an email address of either or are hit by this behaviour.

Infected emails commonly have the subject line "New Graphic Site" and are
spoofed so as to appear from "av3@...". Users who open infected emails
will be redirected to a webpage at

Symantec Security Response senior manager Kevin Hogan said: "Unlike its
predecessors, which would require the user to open an attachment in order to
launch and propagate, JS-Yamanner makes use of a security hole in the Yahoo!
web mail program in order to spread to other Yahoo! users. Yahoo! is a
popular email tool, and although normally closed to such threats, the
exploitation of this vulnerability provides access to a significant number
of internet users.

"As there is no patch at present, users are recommended to update virus
definitions and firewall signatures and to block any emails sent from
av3@...." ®"

At this time I have placed those members whose address appears to be
associated with the messages in moderation. I should emphasize that these
members have committed no wrong and they will be unmoderated when Yahoo
fixes their problem. I suggest that all members institute a message rule
which will automatically delete messages with "New Graphic Site" in the
subject line. Unfortunately, Yahoo apparently has no feature which would
allow me to identify such messages at the Yahoogroups site. Since I am not
entirely clear as to the process being used by this worm, that is the
current extent of my actions. Further moves may be required.

Mike Brock


[Non-text portions of this message have been removed]

Yahoo! Groups Links

[Non-text portions of this message have been removed]

Join to automatically receive all group messages.