X97M/Yawn.A
Analysis
- Virus consists of two macro modules, one of which
is created with a random name, and the other is named
"Class1"
- Virus hooks Excel event handler which prevents
the opening of infected files in order to run its
code
- Virus verifies if it has infected the Excel environment
by searching for the file "PERSONAL.XLS"
in the XLStart folder - if the file does not exist,
a new workbook is created, infected and then saved
as "PERSONAL.XLS" in the XLStart folder
- Virus searches the macro storage of host files
for the string
"'taitai"
which exists in the virus body, as a means to determine if the host file is already infected
-
Virus is named from a variable used the code named "awn"