JS.Yamanner@m spreads to the user’s email contacts when he or she opens an infected email, according to a Symantec advisory issued today. In order for the worm to propagate, the user does not have to click on any attachments.
"This worm is a twist on the traditional mass-mailing worms that we have seen in recent years," said Dave Cole, director of Symantec Security Response. "Unlike its predecessors, which would require the user to open an attachment in order to launch and propagate, (the worm) makes use of a previously unknown security hole…in order to spread to other Yahoo users, and (it) harvests user information for possible future attacks."
Once the email is opened, the worm exploits a flaw in Yahoo Mail to run a script normally blocked by the service, according to the advisory. The user’s browser is re-directed to display the URL http://]www.av3.net/index.htm, not believed to be malicious. The worm then copies itself to other addresses in the user’s Yahoo email folders if the addresses end with "@yahoo.com" or "@yahoogroups.com."
The infected emails contain a subject that reads "New Graphic Site" and a body that reads: "this is a test." The messages come from av3[at]yahoo.com
Because there is no patch available, users are advised to keep their anti-virus software updated and to block any emails originating from the bogus sender.
Yahoo representatives said web mail users have received automatic protection against the worm, which impacted a small number of customers.
"We have taken steps to resolve the issue and protect our users from further attacks of this worm," spokeswoman Kelley Podboy said. "Yahoo treats security and user protection seriously. When we learn of email abuse, such as a worm or other online threat, we take appropriate action."