JS.Yamanner exploits a vulnerability that enables scripts embedded in HTML e-mails to be run by the user’s browser. These scripts are normally blocked by Yahoo! Mail for security reasons. Symantec Security Response is currently categorizing JS.Yamanner as a Level 2 threat (on a scale of 1 to 5, with 5 being most severe).
The e-mails that JS.Yamanner sends can be distinguished by the following title and contents:
Subject: New Graphic Site
Body: this is test
Additionally, if users inadvertently open an infected e-mail, they will also see that their browser window is re-directed to display the Web page associated with the URL: http://www.av3.net/index.htm.
“This worm is a twist on the traditional mass-mailing worms that we have seen in recent years,” said Dave Cole, director at Symantec Security Response. “Unlike its predecessors, which would require the user to open an attachment in order to launch and propagate, JS.Yamanner makes use of a previously-unknown security hole in the Yahoo! Web mail program in order to spread to other Yahoo! users and harvests user information for possible future attacks.”
Yahoo! is a popular e-mail tool, and although normally closed to such threats, the exploitation of this vulnerability provides access to a significant number of Internet users. As there is no patch at present, users are recommended to update antivirus definitions and firewall signatures and to block any e-mails sent from firstname.lastname@example.org.
Symantec currently provides definitions to protect against JS.Yamanner. The Symantec Security Response Web site provides additional details at: http://securityresponse.symantec.com/
Symantec is the world leader in providing solutions to help individuals and enterprises assure the security, availability, and integrity of their information. Headquartered in Cupertino, Calif., Symantec has operations in more than 40 countries. More information is available at www.symantec.com.