Jump to content
xisto Community
mpinsky

Yahoo Group Worm Worm infecting Yahoo Group users through attachment.

By mpinsky, in Security issues & Exploits

Recommended Posts

mpinsky    0

mpinsky
Posted (edited)

Those of you who use Yahoo Groups may or may not have already heard this, but about three days ago, I received an update from one of the groups I am a member of. Inside this notice I found two "New Graphic Site" messages and one "Virus Warning". The previous two came with attachments. Luckily, I read the virus warning first before opening them. In the virus warning was this piece of advice:

Just a quick warning to members about a virus that is sweeping Yahoo groups. It contains a number of attachments and the subject line reads "New Graphic Site". Don't open the attachments - in fact, I'd suggest that the list owner/moderator delete them out of the list's archives (I've done that on my groups). Also, anyone who has received one of these - even if you didn't open it (my Outlook Express opens things automatically when I highlight the e-mail in my list - but, for once I'm happy I have a Mac, since I'm almost guaranteed to be safe from any viruses coming through) - run a virus scan on your computer.
Again, don't open any e-mails coming through Yahoo groups that have the subject "New Graphic Site" - it's a worm and will continue spreading through the groups more quickly as more members get their computers infected.

~Urd-chan


Just thought I'd give you guys a heads up if you haven't received this notice already.
Edited by mpinsky (see edit history)

Share this post

Link to post
Share on other sites

sparx    0

sparx
Posted (edited)

Outbreak Confirmed.

 

JS.Yamanner@m is a worm that is written in JavaScript. It exploits a vulnerability in the Yahoo! Mail service to send a copy of itself to other Yahoo! Mail contacts.

 

Notes:

 

* The worm cannot run on the newest version of Yahoo Mail Beta.

 

 

Also Known As: JS/Yamanner@MM [McAfee], JS_YAMANER.A [Trend Micro], Yamanner.A [F-Secure], JS/Yamann-A [sophos]

 

Type: Worm

Infection Length: 6,377 bytes.

 

 

 

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

 

Yahoo Mail users ae advised to BLOCK all mail from "av3@yahoo.com", although by now, Yahoo admins will have taken care of this server side. Also, use the new BETA GUI (in spite of its clunkish attempts to emulate GMail ;-) )

 

JS.Yamanner@m arrives on the compromised computer as a Yahoo! HTML email containing JavaScript. If the email is opened within Yahoo! Mail, it performs the following actions:

 

1. Exploits a vulnerability in the Yahoo! Mail service and executes a script.

 

2. Scans emails in the personal folders of the Yahoo! Mail account. The worm gathers email addresses that contain @yahoo.com and @yahoogroups.com domains.

 

Note: The personal folders are email folders in the currently logged in Yahoo! Mail account. These include folders such as the Inbox, Sent, and any custom-named folders in the account.

 

3. Sends a copy of itself to the email addresses gathered. The email may have the following characteristics:

 

From: Varies

Subject: New Graphic Site

Message Body: Note: forwarded message attached.

 

4. Redirects the Web browser from Yahoo! Mail to the following Web site:

 

[http://forums.xisto.com/no_longer_exists/

 

5. Sends the list of gathered email addresses to the above URL.

Edited by sparx (see edit history)

Share this post

Link to post
Share on other sites

sparx    0

sparx
Posted

I can't really say what the person who receives the email addresses does with them, but it stands to reason that harvesting email addresses in any manner but particularly by way of a worm means the creator is up to no good!

Share this post

Link to post
Share on other sites

tansqrx    0

tansqrx
Posted

In a different article I heard that this exploit had something to do with AJAX. I have yet to find a good resource that fully describes the problem. Is the script run on the server or on the user’s end? It is slightly confusing as I have not heard that it only affects IE or Firefox and that is usually the deciding factor when a web exploit is run on the user’s machine.

Share this post

Link to post
Share on other sites

yeh    0

yeh
Posted

I might be wrong here, so correct me if I am. I think what the worm does is when you open your mail, it would automatically mails itself to other people on your contacts. Does no harm to your computer, actually. I think it is run on the server and thus affects both IE and firefox.

Share this post

Link to post
Share on other sites

sparx    0

sparx
Posted

I might be wrong here, so correct me if I am. I think what the worm does is when you open your mail, it would automatically mails itself to other people on your contacts. Does no harm to your computer, actually. I think it is run on the server and thus affects both IE and firefox.


Quite correct. Although the worm does no harm to the local computer, it does take its toll on networks by clogging up bandwidth.What's scary is the fact that it's exploiting server-side JScript code to cause damage. All browsers are affected. This is NOT a browser issue, but an issue with Yahoo's implementation of scripting. Take note that this vulnerability does not exist for new BETA interface.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go To Topic Listing
×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept