Worm Wriggles Through Yahoo! Mail Flaw

Jasen Bell writes to mention a ZDNet article about a clever new worm affecting users of Yahoo!'s email service. The virus uses a flaw in JavaScript to infect a computer when an email is opened from the user's web-based mail. From the article: "The worm, which was spotted in the wild early this morning, has hit the remote server more than 100,000 times, forwarding Yahoo e-mail addresses harvested from unsuspecting users, Turner said. Although the worm is spreading quickly, and no patch has been issued, Symantec is rating the threat a '2.' The security vendor uses a 1-to-5 rating system, with '5' as its most severe category."

Medireview virus attacks yahoo.

[leuk_he]

I thought the security of yahoo would have captured a old javascript virus by now. Bu i do not understand: how can this javascript break out the browsers? isn't yahoo just a webmail website? then how would the local pc be affected? why would you have to scan your pc as symantic tells you?

Ok, the virus can send a lot of e-mails and break the yahoo mail system. or si there something about yahoo mail i do not understand?

Spread?

[argStyopa]

I just got a wave of mails in my gmail box that are from random senders, with multiple small 1-4k attachements.

Anyone have any idea if this works on/through gmail too?

Crime and punishment

[erroneus]

In short, I believe there should be some very stiff penalties to pay if it is proven that someone has written and deployed malware of this sort. There should be prison time and forfeiture of any money and assets acquired as a result of gains from this activity.

People often complain that punishment is too severe for this otherwise 'harmless' activity (and often compared to more heinous crimes such as assault, robbery, murder sex/child related crimes) and that damages are quite often exaggerated beyond reason. I can't say much about exaggerated damages, but I can say that in addition to other classifications of crimes, I also consider the following:

Planned/premeditated or not. Many aspects of the more heinous crimes where punishment is often less than these "white collar" crimes are not planned or premeditated. They are driven by little more than emotional or other motives. There is something more cold, more dark and indeed more arrogant when it comes to crimes such as the act of creating and deploying an internet worm. There is no question that what they are doing is immoral and illegal. They perform the act believing they will not be caught, that they will profit from the act and seemingly that it is somehow their right to take advantages of weaknesses in security simply because they are 'superior' in some way.

I see a noticable decline in the amount of spam in my inboxes of late. People claimed that the current federal legislation regarding spam wasn't enough and yet I see stories of people being prosecuted under these law successfully and when these people are put out of business, most all see a difference -- an improvement. It's working.

We don't need more legislation, but we do need to up the level of aggression in persuing these people and up the amount of punishment they are given when they are caught. While they are thinking about their planned attacks, they need to have cause to consider the potential cost to their lives as well.

Re:Makes you wonder.

[hesiod]

> The worm itself (at least from the description here) sounds relatively serious

Huh? All the descriptions I've seen say it just forwards itself to people in your Yahoo! contact list. I've seen nothing about it doing any damage to your PC, browser, or even your Yahoo! mail account. How is that worthy of a rating more than two? Unless I'm missing something, 2 sounds too high. Is there some other evil effect that was discovered and not posted in the messages I've seen so far?

Yay for NoScript!

[gardyloo]

Bless Firefox and the NoScript (https://addons.mozilla.org/firefox/722/) extension.