Slashdot Mirror

← Back to Stories (view on slashdot.org)

Worm Wriggles Through Yahoo! Mail Flaw

Posted by ryuzaki0 on from the descriptive-imagery dept.

Jasen Bell writes to mention a ZDNet article about a clever new worm affecting users of Yahoo!'s email service. The virus uses a flaw in JavaScript to infect a computer when an email is opened from the user's web-based mail. From the article: "The worm, which was spotted in the wild early this morning, has hit the remote server more than 100,000 times, forwarding Yahoo e-mail addresses harvested from unsuspecting users, Turner said. Although the worm is spreading quickly, and no patch has been issued, Symantec is rating the threat a '2.' The security vendor uses a 1-to-5 rating system, with '5' as its most severe category."

4 of 186 comments (clear)

  1. First reported by Billosaur · · Score: 4, Insightful

    Yesterday by The Register

    My question is: who thought it was a good idea to enable JavaScript in emails? Someone at Yahoo! wasn't paying attention to basic security.

    --
    GetOuttaMySpace - The Anti-Social Network
  2. Medireview virus attacks yahoo. by leuk_he · · Score: 4, Interesting

    I thought the security of yahoo would have captured a old javascript virus by now. Bu i do not understand: how can this javascript break out the browsers? isn't yahoo just a webmail website? then how would the local pc be affected? why would you have to scan your pc as symantic tells you?

    Ok, the virus can send a lot of e-mails and break the yahoo mail system. or si there something about yahoo mail i do not understand?

    1. Re:Medireview virus attacks yahoo. by larkost · · Score: 4, Informative

      The poster's question is valid. He/she is asking if the JavaScript worm can actually do anything other that work within the browser, as in how can the worm "infect" the computer. The answer is that it can't. It only harvests the email addresses that are on your Yahoo addressbook, and emails itself to them, once again though Yahoo. So everything is done within the browser, and there is no compromise outside the browser's sandbox.

      With a little creativity, this could be extended to grab a file off the HD, and send the data to any site it chose, but it does not sound like that is the case here.

  3. The warm may not be as "innocent" by trifish · · Score: 4, Informative

    Some people tend to think that this worm is harmless (just "spreading itself"). But the worm actually sends the harvested email adresses to an external site - www.av3.net [which I wouldn't dare to browse to].

    Here are the technical details of the worm:

    1) Arrives on the compromised computer as an HTML email containing Javascript. The email may have the following characteristics:

    From: Varies
    Subject: New Graphic Site
    Message body: Note: forwarded message attached.

    2) Once the email is opened the worm exploits a vulnerability in the Yahoo email service to run a script.

    3) Sends a copy of itself to certain email addresses gathered from the Yahoo email folders.

    4) Targets email addresses from the @yahoo.com and @yahoogroups.com domains.

    5) Contacts the following URL:

    [http://]www.av3.net/index.htm

    6) Sends a list of email addresses gathered to the above URL.