By Staff
Wednesday, June 14 2006 10:47 AM
URL: http://www.zdnetasia.com/news/security/0,39044215,39367353,00.htm

The Yamanner worm, which attacked Yahoo Mail users, is a proof-of-concept piece of malware that shouldn't cause businesses any significant damage, says Symantec.

The antivirus company, which warned of the existence of Yamanner in an advisory on Monday, believes that the worm has now faded as a danger.

"A massive spike started on the 11th (Sunday) in the U.S., but it dropped to the floor today. That's a good indicator," said Kevin Hogan, senior security response manager at Symantec.

Security companies have released antivirus definitions that protect against Yamanner. But, according to Hogan, the sharp decline in virus activity is because Yahoo itself has now patched its central servers.

"They have blocked this hole, by making a slight change that ensures the script won't run," said Hogan.

Yamanner takes advantage of a JavaScript flaw which allows scripts that are embedded in HTML e-mail messages to execute in the user's Web browser.

Yamanner arrives in a Yahoo mailbox bearing the subject header "New Graphic Site". Once the message is opened, the computer becomes infected and the worm spreads itself to people on the Yahoo e-mail contact list. The harvested e-mail addresses are also sent to a remote online server.

According to early reports, these e-mail addresses were being acquired for use in spam campaigns. But Hogan believes this isn't the case, and says there is evidence that the site in question was not involved with the creation of Yamanner.

"We suspect they are seeing if this could be done, rather than trying to steal information," Hogan said.