McAfee > Theat Center > Virus Detail Page

Overview

-- Update June 13, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://blog.washingtonpost.com/securityfix/2006/06/yahoo_webmail_worm_on_the_loos.html

For an Extra.Dat file for this threat please visit the McAfee Extra Dat Request Page at:
https://www.webimmune.net/extra/getextra.aspx

--

This threat attempts to spread via email as embedded JavaScript (there is no email attachment) and harvests Yahoo related addresses from the victim's profile.  Infectous messages may apprear as follows:

Subject: New Graphic Site
Body: Note: forwarded message attached.

Reading such an infectious message via Yahoo! Mail can result in execution of the virus code.

Aliases

• JS.Yamanner@m (Symantec)

Characteristics

There are reportedly two known variants of this threat.  It appears to be under development/refinement and the initial variant contains a typo in the code.

This email worm attempts to spread by exploiting a vulnerability in Yahoo! Mail involving the automatic execution of Javascript.  Yahoo is reportedly working on a fix and blocking most of these messages.

Messages containing the virus code may appear as follows:

Subject: New Graphic Site
Body: Note: forwarded message attached.

The email message body contains JavaScript designed to execute upon viewing the email message via Yahoo! Mail.  Once running, the script harvests '@yahoo.com' and '@yahoogroups.com' email addresses from Yahoo! Mail folders, and then sends a copy of itself to those addresses.  The script also sends a list of the harvested addresses to av3.net.

Symptoms

Viewing an email message as described via Yahoo! Mail may be an indication that an infection has occurred.

Method of Infection

This threat "auto-executes" by exploiting a vulnerability in the onload event handling of Yahoo! Mail.  A specially crafted email message allows an attacker to execute script code that should not be allowed to execute.  This threat exploits this vulnerability to launch a script that harvests email address and sends those recipients (BCC) the virus embedded in a new email message.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants

N/A

All Information

Overview -

-- Update June 13, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://blog.washingtonpost.com/securityfix/2006/06/yahoo_webmail_worm_on_the_loos.html

For an Extra.Dat file for this threat please visit the McAfee Extra Dat Request Page at:
https://www.webimmune.net/extra/getextra.aspx

--

This threat attempts to spread via email as embedded JavaScript (there is no email attachment) and harvests Yahoo related addresses from the victim's profile.  Infectous messages may apprear as follows:

Subject: New Graphic Site
Body: Note: forwarded message attached.

Reading such an infectious message via Yahoo! Mail can result in execution of the virus code.

Aliases

• JS.Yamanner@m (Symantec)

Characteristics

Characteristics -

There are reportedly two known variants of this threat.  It appears to be under development/refinement and the initial variant contains a typo in the code.

This email worm attempts to spread by exploiting a vulnerability in Yahoo! Mail involving the automatic execution of Javascript.  Yahoo is reportedly working on a fix and blocking most of these messages.

Messages containing the virus code may appear as follows:

Subject: New Graphic Site
Body: Note: forwarded message attached.

The email message body contains JavaScript designed to execute upon viewing the email message via Yahoo! Mail.  Once running, the script harvests '@yahoo.com' and '@yahoogroups.com' email addresses from Yahoo! Mail folders, and then sends a copy of itself to those addresses.  The script also sends a list of the harvested addresses to av3.net.

Symptoms

Symptoms -

Viewing an email message as described via Yahoo! Mail may be an indication that an infection has occurred.

Method of Infection

Method of Infection -

This threat "auto-executes" by exploiting a vulnerability in the onload event handling of Yahoo! Mail.  A specially crafted email message allows an attacker to execute script code that should not be allowed to execute.  This threat exploits this vulnerability to launch a script that harvests email address and sends those recipients (BCC) the virus embedded in a new email message.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants -

N/A