Symantec said the worm, JS.Yamanner@m, spreads itself to a user’s Yahoo! email contacts when the user opens an email infected by the worm. JS.Yamanner sends these email addresses to a remote server on the Internet.
“This worm is a twist on the traditional mass-mailing worms that we have seen in recent years. Unlike its predecessors, which would require the user to open an attachment in order to launch and propagate, JS.Yamanner makes use of a previously-unknown security hole in the Yahoo! Web mail program in order to spread to other Yahoo! users and harvests user information for possible future attacks,” said Symantec Security Response Director, Dave Cole.
Only those using contacts with an email address that is @yahoo.com or @yahoogroups.com are affected by the worm. Yahoo! Mail Beta users are not vulnerable to JS.Yamanner.
A message from JS.Yamanner can be distinguished by the following:
Subject: New Graphic Site
Body: this is test.
Also, if users open an infected email, their browser window is re-directed to display the Web page with URL: www.av3.net/index.htm.
JS.Yamanner is currently categorised as a Level 2 (out of five) threat by Symantec Security Response.
The company said that since a Yahoo! patch is unavailable, updating anti-virus definitions and deleting any emails received from firstname.lastname@example.org is highly recommended.