BleepingComputer.com > Js.yamanner - Spreads Via Yahoo's Free Email Service

Full Version: Js.yamanner - Spreads Via Yahoo's Free Email Service

BleepingComputer.com > Security > Breaking Virus & Security News

harrywaldron

Jun 12 2006, 08:47 AM

QUOTE

JS.Yamanner@m is a worm that is written in JavaScript. It exploits a vulnerability in the Yahoo email service to send a copy of itself to the user's Yahoo email contacts.

EMAIL to AVOID:
From: Varies
Subject: New Graphic Site
Message body: Note: forwarded message attached.

JS.Yamanner - Spreads via Yahoo's free email service
http://secunia.com/virus_information/29782/js.yamanner/
http://www.sarc.com/avcenter/venc/data/js.yamanner@m.html

quietman7

Jun 12 2006, 11:41 AM

More info: Yahoo Mail Worm Harvesting Addresses

Elendil

Jun 12 2006, 12:54 PM

Here's PCWorld's info:

http://www.pcworld.com/resource/article/0,...,RSS,RSS,00.asp

Thankfully, I use Gmail!

quietman7

Jun 12 2006, 09:12 PM

Last Updated: 2006-06-12 21:19:00

QUOTE

...To activate the mass-mailer it is sufficient to open the mail message without clicking on the attachment and it will scour your address list and send itself as an attachment (forwarded message) to everyone on it. It searches for both @yahoo.com and @yahoogroups.com e-mail addresses...There is currently no trivial fix for Yahoo! mail as turning off Javascript on the browser will prevent you from reading your e-mail... Yahoo! is aware of the issue and is working on a fix, in their words "Yahoo! Mail is blocking most of these messages, and is working on a fix."

http://isc.sans.org/diary.php?compare=1&storyid=1398

Edit: To clarify, the Yamanner worm does not send itself as an attachment, it resides inside the e-mail body. The worm activates automatically by just opening an infected e-mail message with Internet Explorer. It uses a 0-day vulnerability in Yahoo! webmail system.

quietman7

Jun 13 2006, 10:30 AM

Just received this from our network Administrator (no link was provided).

QUOTE

Yahoo says that a solution has automatically been distributed to all Yahoo mail customers, but Symantec's Security Response site suggests that Yahoo mail users might best protect themselves by upgrading to the latest test version of the recently upgraded Yahoo Mail software. "The worm cannot run on the newest version of Yahoo Mail Beta", Symantec's site says.

NCRedNeckK

Jun 13 2006, 12:49 PM

So here is the question that I have looked all over for, but have not been able to find a direct answer to:

Does this worm only run when an infected e-mail is opened?

Or, does something get installed locally on the PC that will cause all future e-mails to be infected?

One other one: The solution that Yahoo sent out, was it sent via e-mail? If so, and one deleted it, is there anyway to get a copy?

Thanks for any help.

buddy215

Jun 13 2006, 12:57 PM

The message will have a From" address of av3@yahoo.com and a Subject: of "New Graphic Site."

It is recommended that you block the address "av3@yahoo.com"

quietman7

Jun 13 2006, 12:58 PM

The worm does not send itself as an attachment, it resides inside the e-mail body. The worm activates automatically by just opening an infected e-mail message with Internet Explorer.

Since the solution was automatically distributed, I would say yes by email. I will check around some more to see where else its available and let you know if I find anything.

NCRedNeckK

Jun 13 2006, 01:28 PM

I understand that it is in the e-mail itself, and not an attachment. When the Javascript runs, is anything installed locally?

quietman7

Jun 13 2006, 01:51 PM

There are no other related malware files installed if that's what your asking about. When the script runs it sends a copy of itself to email addresses gathered from the Yahoo email folders. Harvested addresses from the address book are then submitted to a remote URL, which is likely to be used for a spam database...technical details here.

NCRedNeckK

Jun 13 2006, 03:09 PM

Thanks Quietman, that's exactly what I was asking about. I find it interesting that Symantec has you turn system restore off and run a full system scan. It looks like that is a waste of time.

quietman7

Jun 14 2006, 12:52 PM

Yahoo quickly steps on e-mail worm

QUOTE

..."Once we were aware of it we put a solution in place," said Kelly Podboy, a spokeswoman for the Mountain View, California, company.

"It has been resolved. We don't know how many users were impacted, but we believe it was a very small fraction."...

Wysi Free

Jul 16 2008, 07:52 PM

Today I got an email from myself saying that I had a site dealing with electronics. The email went to everyone in my address book.

The original Yamanner seemed to target only yahoo sites with hope of further spreading whatever it is they are spreading. This one targeted everyone in my address book. I did an immediate scan -- several different ones and my XP came up clean on all counts. Yamanner was said to be a script that once the email was opened would "infect" the Yahoo account.

The subject line was "HI" and there were some links in the email. Comments on the original were that they had to do with a graphics site. I don't t remember seeing anything like that and generally just zap things that look strange before opening. I have reported this to Yahoo but no reply yet.

Anyone else seen this or am I special?

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.