Yahoo worm 'more concept than threat'

Yamanner burned brightly, but briefly, according to Symantec
Written by ZDNet UK, Contributor

The Yamanner worm, which attacked Yahoo Mail users, is a proof-of-concept piece of malware which shouldn't cause businesses any significant damage, according to Symantec.

The antivirus company, which warned of the existence of Yamanner in an advisory on Monday, believes that the worm has now faded as a danger.

"A massive spike started on the 11th [Sunday] in the US, but it dropped to the floor today. That's a good indicator," said Kevin Hogan, senior security response manager at Symantec.

Security companies have released antivirus definitions that protect against Yamanner. But, according to Hogan, the sharp decline in virus activity is because Yahoo itself has now patched its central servers.

"They have blocked this hole, by making a slight change that ensures the script won't run," said Hogan.

Yamanner takes advantage of a JavaScript flaw which allows scripts that are embedded in HTML emails to execute in the user's Web browser.

Yamanner arrives in a Yahoo mailbox bearing the subject header "New Graphic Site". Once the message is opened, the computer becomes infected and the worm spreads itself to people on the Yahoo email contact list. The harvested email addresses are also sent to a remote online server.

According to early reports, these email addresses were being acquired for use in spam campaigns. But Hogan believes this isn't the case, and says there is evidence that the site in question was not involved with the creation of Yamanner.

"We suspect they are seeing if this could be done, rather than trying to steal information," Hogan said.

Editorial standards