Symantec.com > Threat Advisory Center


Threat Advisory Center
New Email Threat Targeting Yahoo! Mail Accounts

Threat Update

June 13, 2006

This issue has been resolved by Yahoo! as of June 13, 2006. The solution has been distributed to all Yahoo! Mail customers. Further information is located here:

http://news.yahoo.com/s/ap/20060613/ap_on_hi_te/yahoo_worm

Symantec continues to recommend that users always read their email with care, being particularly cautious regarding unexpected emails.

What It Is

New Email Threat Targeting Yahoo! Mail Accounts

Symantec Security Response has today identified a new JavaScript worm in the wild that exploits an unpatched vulnerability in Yahoo!’s Web-based e-mail program. The worm – JS.Yamanner@m – spreads itself to the user’s Yahoo! e-mail contacts when the user opens an e-mail infected by the worm. In addition, JS.Yamanner also sends these e-mail addresses to a remote server on the Internet. Only those using contacts with an e-mail address that is @yahoo.com or @yahoogroups.com are impacted by this worm.

JS.Yamanner exploits a vulnerability that enables scripts embedded in HTML e-mails to be run by the user’s browser. These scripts are normally blocked by Yahoo! Mail for security reasons. Symantec Security Response is currently categorizing JS.Yamanner as a Level 2 threat (on a scale of 1 to 5, with 5 being most severe). Users of Yahoo! Mail Beta do not appear to be vulnerable to JS.Yamanner.

The e-mails that JS.Yamanner sends can be distinguished by the following title and contents:

From:
Subject: New Graphic Site
Body: this is test

Additionally, if users inadvertently open an infected e-mail, they will also see that their browser window is re-directed to display the Web page associated with the URL: [http://]www.av3.net/index.htm.

Yahoo! is a popular e-mail tool, and although normally closed to such threats, the exploitation of this vulnerability provides access to a significant number of Internet users. As there is no patch at present, users are recommended to update antivirus detection signatures and firewall and email gateway rules to block any e-mails sent from av3[at]yahoo.com.”

Symantec currently provides antivirus detection signatures to protect against JS.Yamanner. The Symantec Security Response Web site provides additional details at: http://securityresponse.symantec.com/

Protect Yourself

To reduce the possibility of being affected by the JS.Yamanner worm, Symantec Security Response advises users to do the following:

  1. Do not open or view any emails whose subject line or address matches those listed above. These emails should be deleted immediately.
  2. Ensure that the latest virus detection signatures are being used. Both Norton AntiVirus and Symantec AntiVirus automatically download the latest updates, but users can use LiveUpdate to check for updates as a precaution if they so desire.
  3. Email gateways should be configured to block emails received from av3[at]yahoo.com.
  4. Firewalls should be configured to block outbound traffic activity to www.av3.net/index.htm

Norton Internet Security 2006
Provides essential protection from viruses, hackers, and privacy threats.
Learn More
Buy this Product

 
Security Check
Symantec Security Check
Site Map · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements
©1995 - 2009 Symantec Corporation