June 12, 2006
An early-morning report on a security mailing list led to the discovery of a mass-mailing email worm that impacted Yahoo webmail users. Dubbed JS.Yamanner@m (Symantec), JS_YAMANER.A (Trend Micro), and JS/Yamanner@mm (McAfee), the Yamanner worm functions by exploiting the Javascript onload event handler. No files are dropped to the impacted user's system, thus the computer does not maintain an infected state.
When the Yamanner email is opened, the malicious script exploits a flaw in the Yahoo email service, gathering addresses found in the Yahoo email folder and sending a copy of itself to any @yahoo.com and @yahoogroups.com email addresses found. Yamanner also sends a list of those same addresses to a remote website, presumably for spam purposes.
Yamanner arrives in an email with the following characteristics:
From: spoofed or av3@yahoo.com
Subject: New Graphic Site
Body: (one of the following)Note: forwarded message attached. this is test
Yahoo responded to the threat by filtering messages for the presence of the onload event handler, replacing it with 'onfiltered', effectively neutering the worm's exploit.
