Classification

Category :

Malware

Type :

-

Aliases :

Yipper, Yitai

Summary

Yipper is a family of email stealing trojans written in Visual Basic. All 3 currently known variants appeared on 6th of May, 2003. These trojans do not install themselves to system, they only collect email addresses and send them to 2 pre-defined email addresses in Israel.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Variant:Yipper.A

This trojan variant sends stolen emails to <yitai342@012.net.il> email address. The message is sent with 'Hi' text in a subject line. The message body contains entries from infected user's Outlook Address Book.

Variant:Yipper.B

This trojan variant was sent to several people in email messages as FindMyMatch.exe attachment. The trojan sends stolen emails to <yipai342@netvision.net.il> email address. The message is sent with 'NewWorld' in a subject. The body contains encrypted entries from infected user's Outlook Address Book.

The B variant keeps its copy in memory while A and C variants exit after they send out email lists.

Variant:Yipper.C

This trojan variant is very close to Yipper.A variant. It sends stolen emails to <yitai342@012.net.il> email address. The message is sent with 'Hi' in a subject line. The body contains entries from infected user's Outlook Address Book.