Worm wriggles through Yahoo mail flaw

A new worm that targets Yahoo e-mail users is on the loose, taking advantage of an JavaScript flaw, a security company has warned.

The Yamanner worm targets all versions of Yahoo Web-based mail except the latest beta version, Symantec said in an advisory released Monday.

At the time of the advisory, there was no patch for the vulnerability. But by later on Monday, Yahoo said it had come up with a fix for the flaw, which it said had affected very few of its customers.

"We have taken steps to resolve the issue and protect our users from further attacks of this worm. The solution has been automatically distributed to all Yahoo Mail customers, and requires no additional action on the part of the user," a Yahoo representative said.

Both Yahoo and Symantec are encouraging people to update the antivirus definitions on their PCs.

Yamanner arrives in a Yahoo mailbox bearing the subject header "New Graphic Site." Once the message is opened, the computer becomes infected and the worm spreads itself to people on the Yahoo e-mail contact list. The harvested e-mail addresses are also sent to a remote online server, which Symantec suspects may use the information for spam campaigns.

"The worm is taking a pretty novel approach," said Dean Turner, senior manager of Symantec Security Response. "It takes advantage of a JavaScript vulnerability, so the user doesn't even have to click on an attachment to get infected."

Yamanner exploits the Yahoo flaw by enabling the scripts that are embedded in HTML e-mails to be run by the user's Web browser.

The worm, which was spotted in the wild early this morning, has hit the remote server more than 100,000 times, forwarding Yahoo e-mail addresses harvested from unsuspecting users, Turner said.

Although the worm is spreading quickly, and no patch has been issued, Symantec is rating the threat a "2." The security vendor uses a 1-to-5 rating system, with "5" as its most severe category.

"Antivirus definitions have been released for it, and Yahoo is working on a patch, so we don't want to cry wolf," Turner said. "Although there is the potential the worm will affect a larger number of people, for now to raise it to another (higher) level would be inappropriate."

He added it is premature to predict whether this worm will morph into other forms and attack other browser-based forms of e-mail, such as Google's Gmail.

Systems affected include Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003 and Windows XP, according to Symantec's advisory.

[TheReaperD]

Yahoo Groups

This is playing hell with Yahoo groups. We're having to moderate member's posts because of it. We've had several people from the same list affected.

[gary85739]

Yahoo will have a fix SOON!

Yahoo! will have a patch by the end of the week, at the latest! Probably sooner...

[jim_mac]

Mac OS not affected

"Systems affected include Windows 2000, Windows 95, Windows
98, Windows Me, Windows NT, Windows Server 2003 and Windows
XP, according to Symantec's advisory."

Gee, what a surprise... yet another problem that does not affect
Macs! This makes one wonder why JavaScript seems to be getting
all the blame in this article. Could it be that the Microsoft operating
systems are at least partially to blame?!?

[sudhendra]

Worm wriggles through unpatched Yahoo and I have lost my password to Yahoo

The worm has affected me (yahoo profile: sudhi_bs and my friend (yahoo profile madan7).
We are not able to login. Worst part is we have forgotten the security question to reset our password and also our alternative email address are invalid as yahoo id were pretty much our identity for past 8-9 years. WE both have tons of confidential information in yahoo account. Is there a way we can talk to yahoo security or customer support team. We are genuine folks and not any spammers. We need our identity back. We need our nemesis back. Can any onehelp? I can be reached at 408 203 9960 or Sudhi.Seshachala@gmail.com
Thanks

[Lpahl]

Oh please Yahoo!

They say "FEW" have been affected? The entire Yahoo Groups has been affected. Put it this way I don't know anyone associated with Yahoo Groups who has not been affected.

I cannot even get into Yahoo Groups anymore, they even have Yahoo Customer Care down.

As for the letter they emailed everyone? When and where?!?!

[J.G.]

Headline should read 'Windows worm'

Also, the grammar is a giveaway. The message should read g-r-a-p-h-i-c-s. Spammers and malware makers often make mistakes in spelling and grammar.

[OneWithTech]

You sure this isn't a IE BROWSER FLAW.....

....and not a Yahoo JavaScript Screwup? Being a web developer I've see this a mile away? Javascript functionality is dumbed down because of IE's way of blocking certain script actions.

Take the MN Department of Public Safety. The code they use on there DMV site puts every DMV computer at risk of being exploited by this code. EVERY DVM PC.

There web code (MN DMV) requires the web code to use certain DNR printer templates that reside on the user's computer, not on a web server. So when someone from the MN DMV has to print out a DNR tag or any other orange tag for that matter the web code REQUIRES the need to access the printer templates on the local computer.

How does this put every MN DMV computer that uses this technology at risk? Well, say for instance a state employee decides to do there own surfing on lunch break ( I've personally seen this, so don't say it doesn't happen) and they come across a rogue website that uses JavaScript to access the local computer. You can figure out what can happen at this point. The security issues that this presents is just aw inspiring.

This would also allow TOTAL CONTROL of the host computer as well as the ability to download rogue code in the background unknown to the user until something terrible happens.

The solution for MN DMV:
Keep the template files on the web server for local web server access. You say there are so many people accessing the templates that it would decimate the performance of the servers! I tell you get a better IT staff, faster pipeline, and better servers. That will solve all of your problems. The MN DMV that is.

So you think that the MN DMV and Yahoo only have this problem you better check out your own web code. JavaScript is Super Powerful and part of the new Web 2.0 and AJAX era that's going on right now. So start practicing practical and safe coding!

Justin
Tech01.net

[BenPanced]

Macs NOT safe!

Contrary to what Jimmy Mac posted earlier, this worm does go through on a Mac system. I'm running OS X at home and opened one of the infected emails in my Yahoo account. 24 hours later, I'd gotten hits from all of my Yahoo groups, all with my email address on them as the sender.

[Howard Moss]

I GOT HIT WITH YOUR WORM. HELP!

I GOT YOUR WORM/VIRUS TWO DAYS AGO, I COULD NOT SEND ANY EMAILS. INCOMING WAS NOT A PROBLEM. I DELETED THE BETA VERSION OF INTERNET EXPLORER ANDI AM OK NOW.

[gmoggo]

yahoo worm

hi all,

here's the problem I've been having:
yahoo won't let me sign in, I can use messenger but it just won't recognize my ID and password when I sign in to check mail for instance, it keeps taking me back to the sign in page,

furthermore it seems my cookies have been disabled as my bank page and amazon who have cookies asked me to re-sign.

it could be the worm, thought I don't remember clicking on it but with the amount of crap I get everyday, I may have clicked it by mistake.

if yahoo has indeed emailed a fix, how can I open the email if I can't sign in? also I tried singing in from another computer and I got the same response, it would keep reloading the sign in page

any help? thanks

[btl-jooz]

One man blog site does better

job of reporting this issue than CNet.

READ it HERE: http://p2pnet.net/story/9059