The worm - JS.Yamanner@m - spreads itself to the user's Yahoo! e-mail contacts when the user opens an e-mail infected by the worm. JS.Yamanner then sends these e-mail addresses to a remote server on the Internet. Only those using contacts with an e-mail address that is @yahoo.com or @yahoogroups.com are impacted by this worm.  Users of Yahoo! Mail Beta do not appear to be vulnerable to JS.Yamanner.

The number of users of Yahoo's email has been estimated to be as high as 200 million

JS.Yamanner exploits a vulnerability that enables scripts embedded in HTML e-mails to be run by the user's browser.  These scripts are normally blocked by Yahoo! Mail for security reasons so Symantec has categorised worm as a relatively low Level 2 threat (on a scale of 1 to 5, with 5 being most severe).  

Additionally, if users inadvertently open an infected e-mail, they will also see that their browser window is re-directed to display the Web page associated with the URL: http://www.av3.net/index.htm.

"This worm is a twist on the traditional mass-mailing worms that we have seen in recent years," said Dave Cole, director at Symantec Security Response.  "Unlike its predecessors, which would require the user to open an attachment in order to launch and propagate, JS.Yamanner makes use of a previously-unknown security hole in the Yahoo! Web mail program in order to spread to other Yahoo! users and harvests user information for possible future attacks."

Symantec has advised that as there is no patch at present, users should update antivirus definitions and firewall signatures and to block any e-mails sent from av3[at]yahoo.com.

The Symantec Security Response Web site provides additional details at: http://securityresponse.symantec.com/ {moscomment}