ABOUT SYMANTEC

Press Release

Symantec Voice of Reason: New Worm Uses Yahoo! Mail to Spread

SINGAPORE - 13 June, 2006 - Symantec Security Response has today identified a new JavaScript worm in the wild that exploits an unpatched vulnerability in Yahoo!’s Web-based e-mail program. The worm – JS.Yamanner@m – spreads itself to the user’s Yahoo! e-mail contacts when the user opens an e-mail infected by the worm. In addition, JS.Yamanner also sends these e-mail addresses to a remote server on the Internet. Only those using contacts with an e-mail address that is @yahoo.com or @yahoogroups.com are impacted by this worm. Users of Yahoo! Mail Beta do not appear to be vulnerable to JS.Yamanner.

JS.Yamanner exploits a vulnerability that enables scripts embedded in HTML e-mails to be run by the user’s browser. These scripts are normally blocked by Yahoo! Mail for security reasons. Symantec Security Response is currently categorizing JS.Yamanner as a Level 2 threat (on a scale of 1 to 5, with 5 being most severe).

The e-mails that JS.Yamanner sends can be distinguished by the following title and contents:

From: av3[at]yahoo.com
Subject: New Graphic Site
Body: this is test

Additionally, if users inadvertently open an infected e-mail, they will also see that their browser window is re-directed to display the Web page associated with the URL: http://www.av3.net/index.htm.

“This worm is a twist on the traditional mass-mailing worms that we have seen in recent years,” said Dave Cole, director at Symantec Security Response. “Unlike its predecessors, which would require the user to open an attachment in order to launch and propagate, JS.Yamanner makes use of a previously-unknown security hole in the Yahoo! Web mail program in order to spread to other Yahoo! users and harvests user information for possible future attacks.”

Yahoo! is a popular e-mail tool, and although normally closed to such threats, the exploitation of this vulnerability provides access to a significant number of Internet users. As there is no patch at present, users are recommended to update antivirus definitions and firewall signatures and to block any e-mails sent from av3@yahoo.com.

Symantec currently provides definitions to protect against JS.Yamanner. The Symantec Security Response Web site provides additional details at: http://securityresponse.symantec.com/

About Symantec
Symantec is the world leader in providing solutions to help individuals and enterprises assure the security, availability, and integrity of their information. Headquartered in Cupertino, Calif., Symantec has operations in more than 40 countries. More information is available at www.symantec.com.