Worm hits Yahoo! Mail users
A virus that infects computers when users merely read an email – rather than open an attachment – has hit Yahoo! Mail accounts.
Yahoo! is the world’s largest email services provider and handles 200 million accounts, but it said on Monday that only “a very small fraction” had been infected.
The worm has been dubbed Yamanner and landed in Yahoo! mailboxes bearing the subject line “New Graphic Site”. Once opened, the message infects the computer and spreads to other users listed in Yahoo! users’ email address books, security companies said.
The email containing the virus need only be opened – in contrast to most worms that are hidden in attachments and require users to take an additional step – to release the virus, according to computer security company Symantec.
The company advised users to update virus and firewall software on their computers and to block any email sent from av3@yahoo.com.
Yahoo! said in a statement: “We have taken steps to resolve the issue and protect our users from further attacks of this worm.”
Yamanner, first detected by Yahoo! and computer anti-virus software makers earlier on Monday, was ranked as having a low threat level by Trend Micro and McAfee.
But Symantec considers the worm an “elevated threat”, one step up from the lowest ranking in terms of relative danger.
Symantec’s Security Response site suggested that Yahoo! account holders might protect themselves by upgrading to the latest test version of the recently upgraded Yahoo! Mail software.
“The worm cannot run on the newest version of Yahoo! Mail Beta,” Symantec’s site said.
Spam campaigns
A Yahoo! spokesman was not immediately available to comment on whether the company advised users to do this.
The worm exploits a JavaScript vulnerability technology used to make the mail program easier to use by triggering embedded HTML scripts to run in the computer user’s browser.
The email addresses are also sent to a remote server, which may be used to run spam campaigns, analysts said. The technical name of the worm goes by variants of JS.Yamanner.
Threat assessment, removal instructions etc: http://www.symantec.com/avcenter/venc/data/js.yamanner@m.html