Worm Attacks Yahoo E-Mail

"The worm, which Symantec calls JS.Yamanner@m, is different from others in that a user merely has to open the e-mail to cause it to run," said Kevin Hogan, "senior manager for Symantec Security Response. Mass-mail worms have usually been contained in an attachment with an e-mail note encouraging a user to open it."

"The worm, written in _JavaScript, takes advantage of a vulnerability that allows scripts embedded in HTML e-mail to run in the users' browsers. Yahoo users should be able to modify their settings to block the 0-day exploit," Hogan said.

Symantec rated the worm a Level 2 threat, 1 notch above its least harmful ranking. Hogan said the worm didn't appear to be spreading widely, & he didn't anticipate the threat level to rise.

How It Spreads:

When activated, the worms sends itself to other users in the victim's address book who also use Yahoo e-mail with the suffixes of @yahoo.com or @yahoogroups.com. "The worm mimics a function within Yahoo's Web mail called "Quickbuilder," which allows a user to add contacts in an address book from received e-mail," Hogan said. "The process, however, is transparent to the victim," he said.

"The harvested e-mail addresses are sent to a remote server. Users of Yahoo Mail Beta do not appear to be affected," Symantec said.

The worm also opens a browser that displays a Web page that doesn't appear to contain malicious content.

Although Yahoo's Web e-mail hasn't been fixed, users are advised to update virus & firewall definitions & block any e-mail sent from av3@yahoo.com. The subject line of the e-mail with the worm says "New Graphic Site," & the body says "this is test."

Yahoo officials could not immediately be reached for comment.