Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » X97M/Yawn.A


Threat Risk LOW LOW
Destructivity NONE NONE
Detection files published 01 Sep 1999 03:00:00
Description created 19 Nov 2000 03:00:00
Description updated 26 Nov 2002 04:31:00
Malware type VIRUS
Spreading mechanism FILE_INFECTION
Summary None



X97M/Yawn.A turns off MS Excel's virus protection. It creates an infected spreadsheet, Personal.xls and drops it to MS Excel Startup folder. MS Excel loads every workbooks stored in this folder automatically during startup.

To find new documents to infect, Personal.xls checks all active workbooks whether they already are infected or not. It uses a comment in the virus code, taitai, as a "marker" (like the W97M/Marker virus) to decide whether a workbook is infected or not. Workbooks where this marker is not found will be infected.

W97M/Yawn uses the Export/Import routine to infect new workbooks. The virus code is exported to a file named t in MS Excel Startup folder, and it then uses the import function to infect new workbooks and delete t when this is done. If the virus succeeds in infecting a new workbook, the 'Macro' item from the 'Tools' menu will be deleted.

The macro code is stored in a module with a random name consisting of two letters and a class module named Class1.

Payload Details






Last Updated: 12 Nov 2015 11:06:15