Yahoo Web E-mail Exploit:
Make Sure You're Protected
Jen Koch

Yahoo Web e-mail users beware! Symantec Corp. reported a new mass-mail worm - referred to as "JS.Yamanner@m" - that exploits a vulnerability in Yahoo e-mail and may be activated without ever opening an attachment.

In Jeremy Kirk's article in the June 16th edition of Computerworld, Symantec Security Response senior manager Kevin Hogan flagged the worm's impact as "low," but still recommended taking precautions. He said the worm "did not appear to be spreading widely," and also said Symantec does not expect the threat of the worm to get much worse.

For more information about how to protect your Yahoo e-mail account, visit here for Symantec's security response.

How Does It Work?

The worm is unusual in that it takes advantage of Yahoo Web e-mail's ability to load scripts within the body of the mail text. Malicious javascript will load upon opening the message, bypassing the more common use of .exe and other file attachments.

When opened, the worm searches personal folders on the e-mail account, collecting and sending itself to addresses including "yahoo.com" and "yahoogroups.com" domains. The e-mail addresses are then sent to a remote server.

Kirk's article explains that the worm acts like "Quickbuilder," a function within Yahoo's e-mail service that allows a user to collect e-mail addresses from a received message and enter them into Yahoo's virtual address book. This process "is transparent to the vicim," which means that if activated, the malicious script may not be detected until it is too late.

Though the issue has not been addressed by the current Yahoo Web e-mail, Yahoo's new mail service, "Yahoo Mail Beta," does not appear to be affected by the worm. Anyone still using the current service is encouraged to update virus and firewall protections, and block any e-mail sent from av3@yahoo.com. Infected e-mails may have a subject line reading: "New Graphic Site," and the body text may read "this is test."

More References

Jeremy Kirk's Article

Symantec's Security Response

Detection, explanation and removal tips from precisesecurity.com

Computer got bugs? If you think your computer system has been infected by this worm or have other spyware, virus, hardware or software issues, contact Drake Hardware & Software at 319.752.1155, or e-mail us at info@drakehs.com for more information about how we can help.