X97M/Yawn.A

description-logoAnalysis

  • Virus consists of two macro modules, one of which is created with a random name, and the other is named "Class1"
  • Virus hooks Excel event handler which prevents the opening of infected files in order to run its code
  • Virus verifies if it has infected the Excel environment by searching for the file "PERSONAL.XLS" in the XLStart folder - if the file does not exist, a new workbook is created, infected and then saved as "PERSONAL.XLS" in the XLStart folder
  • Virus searches the macro storage of host files for the string

    "'taitai"

    which exists in the virus body, as a means to determine if the host file is already infected

  • Virus is named from a variable used the code named "awn"

Telemetry logoTelemetry