XM97/Yosenio-A is a polymorphic Excel macro virus that drops a mass-mailing worm for the Windows platform.
The worm dropped by the macro virus is detected as W32/Yosenio-A. The worm also drops a polymorphic overwriting virus detected as VBS/Yosenio-A.
XM97/Yosenio-A drops the mass-mailing worm to the Windows folder as MSIEXEC32.EXE and runs it. A mutated copy of the macro virus is dropped as PERSONAL.XLS in the Excel startup folder. The macro virus also attempts to infect other Excel documents.
XM97/Yosenio-A makes the following changes to the system registry:
HKCU\Software\Microsoft\Office\10.0\Excel\Security
AccessVBOM
1
HKCU\Software\Microsoft\Office\10.0\Excel\Security
DontTrustInstalledFile
0
HKCU\Software\Microsoft\Office\10.0\Excel\Security
Level
1
HKCU\Software\Microsoft\Office\9.0\Excel\Security
DontTrustInstalledFile
0
HKCU\Software\Microsoft\Office\9.0\Excel\Security
Level
1
XM97/Yosenio-A temporarily drops files 1.REG and 2.REG containing some of the above registry changes.