× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. PCTECH
  3. June 2006

Yahoo Webmail Worm on the Loose

From:
http://blog.washingtonpost.com/securityfix/2006/06/yahoo_webmail_worm_on_the
_loos.html

Security experts are warning of a new e-mail worm that takes advantage of a
flaw in Yahoo's Web mail system to redirect users to advertising sites and
to spread the worm to everyone in the victim's e-mail address book. 

According to an advisory issued by Symantec, "JS.Yamanner" exploits an
unpatched Javascript vulnerability that kicks in when the user opens an
e-mail infected by the worm. Unlike most e-mail-based worms -- which launch
when the recipient clicks on an infected file attachment -- this one spreads
merely by getting the user to open the e-mail.

There may well be different versions of this bugger going around, but the
one being tracked at the moment has "av@xxxxxxxxx" in the sender field, with
the subject "New Graphic site." Symantec said users of Yahoo Mail Beta do
not appear to be vulnerable to the worm.

When I followed the redirects on a test version of Windows XP, it launched
two Web sites -- one advertising various online animations and graphics, and
another that asks the visitor to download "Casino Tropez," an
online-gambling program apparently operated out of the Caribbean island of
Antigua (its entry at SiteAdvisor indicates this company is known for
advertising via spam with forged e-mail headers). 

The site hawking the online animations is registered to an Alireza Lavaei in
Ontario, Canada. The server that hosts the site also hosts about 50 other
marketing sites, most of them written in Arabic. It's important not to read
too much into the registration information, as it is most likely fraudulent.
Still, it is interesting to note that the server also hosts a (currently
inactive) site called Yahoo-Incs.com; people who work for Yahoo have e-mail
addresses that end in yahoo-inc.com, so such a site could be fairly
effective if leveraged in tandem with future social engineering attacks on
Yahoo users.

This attack does not appear to try to foist malware on visitors, but
according to Web security firm Websense, a trivial reconfiguration to the
worm could direct victims to sites that do. I have a call in to the people
at Yahoo, but until this vulnerability is fixed, you're probably best off
taking Websense's advice and using another Web mail program like Gmail or
Hotmail.

However, according to a writeup on this by the SANS Internet Storm Center,
there may no easy way to fix this vulnerability. SANS incident handler
Arrigo Triulzi wrote that turning off Javascript on your browser will
prevent you from reading your Yahoo Webmail.

SANS also says it's aware of two versions of this worm going around,
released just two hours apart: "The [quick] release of a new version ...
which partially fixes the first version indicates that the code is very much
under development and you should assume that the remaining bugs will be
rapidly ironed out."

Read About It
Information about JS/Yamanner@MM is located on VIL at:
http://vil.mcafeesecurity.com/vil/content/v_139913.htm

Detection
JS/Yamanner@MM was first discovered on June 12, 2006 and detection will be
added to the 4783 dat files (Release Date: June 13, 2006).

Though we consider this a low threat, An EXTRA.DAT file may be downloaded
via the McAfee Avert Extra.dat Request Page:
https://www.webimmune.net/extra/getextra.aspx

If you suspect you have JS/Yamanner@MM, please submit a sample to
<http://www.webimmune.net>

Mike Grant
Bytware, Inc.
775-851-2900 

http://www.bytware.com


CONFIDENTIALITY NOTICE:  This e-mail message and any attachment to this e-mail 
message contain information that may be privileged and confidential.  This 
e-mail and any attachments are intended solely for the use of the individual or 
entity named above (the recipient) and may not be forwarded to or shared with 
any third party.  If you are not the intended recipient and have received this 
e-mail in error, please notify us by return e-mail or by telephone at 
775-851-2900 and delete this message.  This notice is automatically appended to 
each e-mail message leaving Bytware, Inc.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.