Yahoo Zero Day: JS.Yamanner

There is some talk over on the Full Disclosure mailing list of a worm on Yahoo Mail. They say it is exploiting a vulnerability in Yahoo Mail so that when you open an email with the exploit it will send email to gathered yahoo addresses.
Symantec has a writeup here.

[email protected] performs the following actions:
Arrives on the compromised computer as an HTML email containing Javascript. The email may have the following characteristics:
From: Varies
Subject: New Graphic Site
Message body: Note: forwarded message attached.
Once the email is opened the worm exploits a vulnerability in the Yahoo email service to run a script.
Sends a copy of itself to certain email addresses gathered from the Yahoo email folders.
Targets email addresses from the @yahoo.com and @yahoogroups.com domains.
Contacts the following URL:
[http://]www.av3.net/index.htm
Sends a list of email addresses gathered to the above URL.

Its not clear from this if the user is required to open an email attachment to be exploited or if it occurs as the email message is opened.