MoMusings

There seems to be a new ‘virus warning’ being sent around, clogging up mailboxes and generally causing lots of FUD [Fear, Uncertainty and Doubt].

So, is it a case of ‘yet-another-virus-hoax’ chain e-mail type of warning or is this a real threat? Should you worry, pass it on, put it in the bit-bucket, or what?

Read on and find out.

So you get an e-mail from someone you know, or even a complete stranger that looks like this:

“There is an email going around with the subject “New Graphics Site”. It is spreading fast as about 100 people I know have gotten it just today. If you get an email with that in the subject line delete it quickly and DO NOT OPEN IT! This is a new virus I have been told.”

The Facts:

• There is a new mass-mailing worm that has the subject of “New Graphics Site”.
• Opening it and or viewing the e-mail does make it spread.
• There is no attachment, the viral code is part of the e-mail body.
• This only [at this time] affects those that use Yahoo web-mail via a web browser.
• Turning off JavaScript support in your browser should stop it functioning.
• Most anti-virus products now detect this.
• The worm cannot run on the newest version of Yahoo Mail Beta.

F-Secure state that:
“The Yamanner worm does not send itself as an attachment, it resides inside the e-mail body. The worm activates automatically by just opening an infected e-mail message with Internet Explorer. It uses a 0-day vulnerability in Yahoo! webmail system.”

And according to McAfee:
“There are reportedly two known variants of this threat. It appears to be under development/refinement and the initial variant contains a typo in the code”.

Furthermore, the worm targets e-mail addresses that are in the yahoo.com and yahoogroups.com domains only at this time. It replicates by running a JavaScript which sends copies of itself to other e-mail addresses harvested from infected users Yahoo Mail folders. It also, as part of its routine sends these harvested e-mail addresses to a remote server which is obviously collecting them for other nefarious purposes, such as to sell as a spam list.

I suspect this attack on the web mail service of Yahoo is the start of a trend in attacking web-based e-mail services. The Internet Storm Center had this to say on the current state of many web based applications: “After testing several popular web applications, we have found that several are in fact vulnerable to the very same type of exploit.”

Links:

• http://www.f-secure.com/v-descs/yamanner_a.shtml
• http://securityresponse.symantec.com/avcenter/venc/data/js.yamanner@m.html
• http://vil.nai.com/vil/content/v_139913.htm
• http://www.sophos.com/security/analyses/jsyamanna.html
• http://secunia.com/virus_information/29782/js.yamanner/

Back to my question I asked at the start of this posting “Should you worry, pass it on, put it in the bit-bucket, or what?” The correct answer is firstly to confirm that such a problem/threat exists via ‘reliable sources’, and if real just be aware of the problem and how to avoid it or protect against it, apply this knowledge and any required patches or security updates [Anti-Virus, Anti-Spyware, Windows Update, etc.], then send the warning e-mail to the bit-bucket.