Tuesday, June 13, 2006

Yamanner : JavaScript worm targetting Yahoo! Mail.

There has been some media attention on the new JavaScript worm Yamanner that targets Yahoo! webmail and groups. The "Yamanner" worm exploits a JavaScript vulnerability in Yahoo's Web mail. The worm targets addresses with the "yahoo.com" and "yahoogroups.com" domains, and arrives as an HTML message containing JavaScript. As soon as the recipient views the message, the script automatically runs to spread the worm to other users in the Yahoo address book. The message will have a From address of av3@yahoo.com and a Subject: of "New Graphic Site." Harvested addresses from the address book are then submitted to a remote URL, which is likely to be used for a spam database. Yamanner won't execute on the newest Yahoo Mail Beta. Until Yahoo patches the flaw, I recommended users to steer clear of the service or disable the browser's JavaScript capabilities before reading any Web mail. This type of worm is not a surprise - it has been theorized a few years ago. Yamanner is however the first worm to be realized in the wild. Please note however that we don't see many cases of it right now as most vendors has already full detection.