Yahoo Zero Day: JS.Yamanner Update

The SANS Internet Storm Center has information answering my question on the conflicting info on whether or not you have to open the attachment.

To activate the mass-mailer it is sufficient to open the mail message without clicking on the attachment and it will scour your address list and send itself as an attachment (forwarded message) to everyone on it. It searches for both @yahoo.com and @yahoogroups.com e-mail addresses.

They go on to say that the virus is poorly coded and does not do everything the writer is trying to achieve. There are two versions in circulation, with the second being an attempt at a bug fix.
Symantec 6/12 virus defs detect this.
Yamanner is written in Javascript. It exploits a vulnerability in the Yahoo email service to send a copy of itself to the user’s Yahoo email contacts.
Mitigation is tough at this time. You can’t disable javascript and still access Yahoo Mail. The viral messages are from people you know. You could not open unexpected messages, but that kinda negates the purpose of the Internet in my opinion. Users in the Yahoo Mail beta are not effected.