XM97/Yini-A

Aliases	Virus.MSExcel.Yini.a
Category	Viruses and Spyware
Type	Virus
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Infected files
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	May 2005 (3.93)
Protection available since	28 March 2005 16:00:41 (GMT)
Last updated	28 March 2005 17:18:26 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for disinfecting macro viruses.

More Information

Summary
Action
More Information

XM97/Yini-A is a Microsoft Excel macro virus.

XM97/Yini-A drops a copy of itself to C:\windows\system\HappyBirthday and drops the file yinyin3345.vbs in the <Windows>\ShellNew\Software folder. This is a Visual Basic script file which drops the file yinyin3345.xls in the XLSTART folder which ensures that the virus is run when Excel starts.

XM97/Yini-A creates the following registry entry to run the Visual Basic Script on system logon or startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
internet.exe
<Windows>\ShellNew\Software\yinyin3345.vbs

On the 4th of November or any Thursday XM97/Yini-A will remove the Visual Basic Script and display a message box.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

XM97/Yini-A

Summary

Action

More Information