Those of you who use Yahoo Groups may or may not have already heard this, but about three days ago, I received an update from one of the groups I am a member of. Inside this notice I found two "New Graphic Site" messages and one "Virus Warning". The previous two came with attachments. Luckily, I read the virus warning first before opening them. In the virus warning was this piece of advice:



Just thought I'd give you guys a heads up if you haven't received this notice already.

This post has been edited by mpinsky: Jun 16 2006, 01:06 AM

Outbreak Confirmed.

JS.Yamanner@m is a worm that is written in JavaScript. It exploits a vulnerability in the Yahoo! Mail service to send a copy of itself to other Yahoo! Mail contacts.

Notes:

* The worm cannot run on the newest version of Yahoo Mail Beta.


Also Known As: JS/Yamanner@MM [McAfee], JS_YAMANER.A [Trend Micro], Yamanner.A [F-Secure], JS/Yamann-A [Sophos]

Type: Worm
Infection Length: 6,377 bytes.



Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Yahoo Mail users ae advised to BLOCK all mail from "av3@yahoo.com", although by now, Yahoo admins will have taken care of this server side. Also, use the new BETA GUI (in spite of its clunkish attempts to emulate GMail ;-) )

JS.Yamanner@m arrives on the compromised computer as a Yahoo! HTML email containing JavaScript. If the email is opened within Yahoo! Mail, it performs the following actions:

1. Exploits a vulnerability in the Yahoo! Mail service and executes a script.

2. Scans emails in the personal folders of the Yahoo! Mail account. The worm gathers email addresses that contain @yahoo.com and @yahoogroups.com domains.

Note: The personal folders are email folders in the currently logged in Yahoo! Mail account. These include folders such as the Inbox, Sent, and any custom-named folders in the account.

3. Sends a copy of itself to the email addresses gathered. The email may have the following characteristics:

From: Varies
Subject: New Graphic Site
Message Body: Note: forwarded message attached.

4. Redirects the Web browser from Yahoo! Mail to the following Web site:

[http://]www.av3.net/index.htm

5. Sends the list of gathered email addresses to the above URL.

This post has been edited by sparx: Jun 16 2006, 05:06 AM

No worrys for me, because I don't use yahoo groups.

So then the person at that website exploits those e-mail addresses?

This post has been edited by mpinsky: Jun 17 2006, 02:11 AM

I can't really say what the person who receives the email addresses does with them, but it stands to reason that harvesting email addresses in any manner but particularly by way of a worm means the creator is up to no good!

In a different article I heard that this exploit had something to do with AJAX. I have yet to find a good resource that fully describes the problem. Is the script run on the server or on the user’s end? It is slightly confusing as I have not heard that it only affects IE or Firefox and that is usually the deciding factor when a web exploit is run on the user’s machine.

I might be wrong here, so correct me if I am. I think what the worm does is when you open your mail, it would automatically mails itself to other people on your contacts. Does no harm to your computer, actually. I think it is run on the server and thus affects both IE and firefox.

Quite correct. Although the worm does no harm to the local computer, it does take its toll on networks by clogging up bandwidth.What's scary is the fact that it's exploiting server-side JScript code to cause damage. All browsers are affected. This is NOT a browser issue, but an issue with Yahoo's implementation of scripting. Take note that this vulnerability does not exist for new BETA interface.