McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This threat is detected as X97M/Yawn.n@MM. The virus will disable Tools/Macro and Tools/Options from the menu. It will also drop VBS/Cybarm.a as C:\WINDOWS\kernel.exe.vbs.

X97M/Yawn.n@MM uses Outlook to send email out to first 50 recipients in AddressList with the following information:

• Subject: Penting !! dari [username]
• Body: di bawah ini laporan yang anda perlukan dalam attachment Excel
• Attachment: Infected excel file

The virus will also make a copy of itself as c:\army.xls and then make a copy of this file in the XLStart directory as: [day] + "S" + [month] + "o".xls. An example of a filename it may create depending on the day and month would be: 27S11o.xls. Due to an error in code, these excel files may not be infected.

Symptoms

The presence of the file c:\army.xls. Also the presence of the file C:\WINDOWS\kernel.exe.vbs

Method of Infection

Opening the excel attachment will mass mail to first 50 recipients in addresslist with the infected excel file attached.

Removal

Use current engine and DAT files for detection and removal.

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

AVERT Recommended Updates:

* Office 2000 updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch)

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This threat is detected as X97M/Yawn.n@MM. The virus will disable Tools/Macro and Tools/Options from the menu. It will also drop VBS/Cybarm.a as C:\WINDOWS\kernel.exe.vbs.

X97M/Yawn.n@MM uses Outlook to send email out to first 50 recipients in AddressList with the following information:

• Subject: Penting !! dari [username]
• Body: di bawah ini laporan yang anda perlukan dalam attachment Excel
• Attachment: Infected excel file

The virus will also make a copy of itself as c:\army.xls and then make a copy of this file in the XLStart directory as: [day] + "S" + [month] + "o".xls. An example of a filename it may create depending on the day and month would be: 27S11o.xls. Due to an error in code, these excel files may not be infected.

Symptoms

Symptoms -

The presence of the file c:\army.xls. Also the presence of the file C:\WINDOWS\kernel.exe.vbs

Method of Infection

Method of Infection -

Opening the excel attachment will mass mail to first 50 recipients in addresslist with the infected excel file attached.

Removal -

Removal -

Use current engine and DAT files for detection and removal.

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

AVERT Recommended Updates:

* Office 2000 updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch)

Variants

Variants -

N/A