Michael

Forward as appropriate. See also
http://securityresponse.symantec.com/avcenter/venc/data/js.yamanner@....

http://www.pcworld.com/news/article/0,aid,126048,00.asp

Worm Attacks Yahoo Email
Mass-mailing worm exploits a vulnerability in the Web-based e-mail,
but its impact is low.
Jeremy Kirk, IDG News Service
Monday, June 12, 2006

A mass-mail worm that exploits a vulnerability in Yahoo's Web-based
e-mail is making the rounds but the impact appears to be low, security
vendor Symantec said today.

The worm, which Symantec calls JS.Yamanner@m, is different from others
in that a user merely has to open the e-mail to cause it to run, said
Kevin Hogan, senior manager for Symantec Security Response. Mass-mail
worms have usually been contained in an attachment with an e-mail note
encouraging a user to open it.

The worm, written in __JavaScript, takes advantage of a vulnerability
that allows scripts embedded in HTML e-mail to run in the users'
browsers. Yahoo users should be able to modify their settings to block
the zero-day exploit, Hogan said.

Symantec rated the worm a Level 2 threat, one notch above its least
harmful ranking. Hogan said the worm did not appear to be spreading
widely, and he did not anticipate the threat level rising.

How It Spreads

When activated, the worms then sends itself to other users in the
victim's address book who also use Yahoo e-mail with the suffixes of
@... or @yahoogroups.com. The worm mimics a function within
Yahoo's Web mail called "Quickbuilder," which allows a user to add
contacts in an address book from received e-mail, Hogan said. The
process, however, is transparent to the victim, he said.

The harvested e-mail addresses are sent to a remote server. Users of
Yahoo Mail Beta do not appear to be affected, Symantec said.

The worm also opens a browser that displays a Web page that does not
appear to contain malicious content.

Although Yahoo's Web e-mail has not been fixed, users are advised to
update virus and firewall definitions and block any e-mail sent from
av3@.... The subject line of the e-mail with the worm says "New
Graphic Site," and the body says "this is test."

Yahoo officials could not immediately be reached for comment. (end
article)

http://securityresponse.symantec.com/outbreak/yahoo_mail.html

Threat Advisory Center
New Email Threat Targeting Yahoo! Mail Accounts

What It Is
New Email Threat Targeting Yahoo! Mail Accounts

Symantec Security Response today identified a new worm that exploits a
vulnerability in Yahoo!'s Web-based e-mail program. The worm –
JS.Yamanner@m – spreads itself to the user's Yahoo! e-mail contacts
when the user opens an e-mail infected by the worm. In addition, the
worm also sends these e-mail addresses to a remote server on the
Internet. Only people with an e-mail address that is on yahoo.com or
yahoogroups.com may be impacted by this worm.

Symantec currently provides antivirus detection signatures to protect
Yahoo! Mail account users against the JS.Yamanner worm. Symantec
encourages these users to run LiveUpdate to ensure that they have the
latest security updates.

Symantec Security Response is currently categorizing JS.Yamanner as a
Level 2 threat (on a scale of 1 to 5, with 5 being most severe). Users
of Yahoo! Mail Beta do not appear to be vulnerable to the worm.

The e-mails can be recognized by the following title and contents:
From:
Subject: New Graphic Site
Body: This is test
Note: If users accidentally open an infected e-mail, they will also
see that their browser window is re-directed to the URL:
http://www.av3.net/index.htm.

Yahoo! is a popular e-mail program and is not normally affected by
this type of threat. There is no patch at the present time and
Symantec is recommending that users ensure that they have the latest
security updates.

The Symantec Security Response Web site provides additional details at
http://securityresponse.symantec.com/

Protect Yourself
To reduce the possibility of being affected by the JS.Yamanner worm,
Symantec Security Response advises users to do the following:

Do not open or view any emails whose subject line or address matches
those listed above. These emails should be deleted immediately. Ensure
that the latest virus detection signatures are being used. Both Norton
AntiVirus and Symantec AntiVirus automatically download the latest
updates, but users can use LiveUpdate to check for updates as a
precaution if they so desire.

Email gateways should be configured to block emails received from
av3@....

Firewalls should be configured to block outbound traffic activity to
http://www.av3.net/index.htm