Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Yahoo! mass-mailer SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Yahoo! mass-mailer
A Yahoo! mass-mailer is currently making the rounds with a subject of "New Graphic site".

It was first reported to the ISC at 12:32 UTC and now appears to be circulating in two slightly different variants.  Analysis by Lorna and myself shows that both variants are flawed therefore they spread very effectively but do not actually perform the intended action.  The mass-mailer attempts to open a browser window to but a spelling mistake prevents this from working.  The website appears to be dormant and rejecting accesses.

The release of a new version barely two hours after we started our analysis which partially fixes the first version indicates that the code is very much under development and you should assume that the remaining bugs will be rapidly ironed out.

To activate the mass-mailer it is sufficient to open the mail message without clicking on the attachment and it will scour your address list and send itself as an attachment (forwarded message) to everyone on it.  It searches for both and e-mail addresses.

There is currently no trivial fix for Yahoo! mail as turning off Javascript on the browser will prevent you from reading your e-mail.  For Yahoo! groups it is recommended that moderators/adminstrators turn off attachments for the time being to prevent this spreading further.

28 Posts
Jun 12th 2006

Sign Up for Free or Log In to start participating in the conversation!