XM97/Yosenio-A

Aliases	Email-Worm.Win32.Yosenio.a X97M/Yosenio.A X97M/Yesi X97M_YESENIA.A O97M.Ainesey.C
Category	Viruses and Spyware
Type	Virus
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Infected files
Affected operating systems	Windows
Characteristics	Drops more malware
Protection available since	6 April 2005 20:41:19 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for disinfecting macro viruses.

More Information

Summary
Action
More Information

XM97/Yosenio-A is a polymorphic Excel macro virus that drops a mass-mailing worm for the Windows platform.

The worm dropped by the macro virus is detected as W32/Yosenio-A. The worm also drops a polymorphic overwriting virus detected as VBS/Yosenio-A.

XM97/Yosenio-A drops the mass-mailing worm to the Windows folder as MSIEXEC32.EXE and runs it. A mutated copy of the macro virus is dropped as PERSONAL.XLS in the Excel startup folder. The macro virus also attempts to infect other Excel documents.

XM97/Yosenio-A makes the following changes to the system registry:

HKCU\Software\Microsoft\Office\10.0\Excel\Security
AccessVBOM
1

HKCU\Software\Microsoft\Office\10.0\Excel\Security
DontTrustInstalledFile
0

HKCU\Software\Microsoft\Office\10.0\Excel\Security
Level
1

HKCU\Software\Microsoft\Office\9.0\Excel\Security
DontTrustInstalledFile
0

HKCU\Software\Microsoft\Office\9.0\Excel\Security
Level
1

XM97/Yosenio-A temporarily drops files 1.REG and 2.REG containing some of the above registry changes.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

XM97/Yosenio-A

Summary

Action

More Information