Win32/Spy.Silon [Threat Name] go to Threat

Win32/Spy.Silon.AA [Threat Variant Name]

Category trojan
Size 36959 B
Detection created Oct 28, 2009
Detection database version 4553
Aliases BackDoor-EHA (McAfee)
  Trojan:Win32/Meredrop (Microsoft)
  Agent2.YPI (AVG)
Short description

Win32/Spy.Silon.AA is a trojan that steals passwords and other sensitive information. The trojan can send the information to a remote machine.

Installation

When executed the trojan drops in folder %system% the following file:

  • msjet51.dll

The following Registry entries are created:

  • [HKEY_CLASSES_ROOT\­CLSID\­{50D5107A-D278-4871-8989-F4CEAAF59CFC}]
    • "(Default)" = "%system%\­msjet51.dll"
  • [HKEY_CLASSES_ROOT\­CLSID\­%variable%\­InprocServer32]
    • "0" = %hex_value1%
  • [HKEY_CLASSES_ROOT\­CLSID\­%variable%\­InprocServer32]
    • "1" = %hex_value2%
  • [HKEY_CLASSES_ROOT\­CLSID\­%variable%\­InprocServer32]
    • "4" = %hex_value3%

A string with variable content is used instead of %variable% .


The trojan creates and runs a new thread with its own program code within the following processes:

  • iexplore.exe
Information stealing

Win32/Spy.Silon.AA is a trojan that steals passwords and other sensitive information.


The trojan collects the following information:

  • FTP account information
  • POP3 account information
  • Windows Protected Storage passwords and credentials
  • Internet Explorer version
  • list of recently opened/executed files

The trojan can send the information to a remote machine.


The trojan contains a list of (3) URLs.


The HTTP protocol is used.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • send files to a remote computer
  • run executable files
  • monitor network traffic

The trojan creates the following files:

  • %windir%\­Temp\­%variable%

A string with variable content is used instead of %variable% .


The trojan hooks the following Windows APIs:

  • InternetCloseHandle (Wininet.dll)
  • InternetQueryDataAvailable (Wininet.dll)
  • InternetQueryOptionA (Wininet.dll)
  • InternetReadFile (Wininet.dll)
  • InternetReadFileExA (Wininet.dll)
  • InternetReadFileExW (Wininet.dll)
  • InternetSetStatusCallback (Wininet.dll)
  • HttpQueryInfoA (Wininet.dll)
  • HttpSendRequestA (Wininet.dll)
  • HttpSendRequestW (Wininet.dll)

The trojan can delete cookies.


The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­AppEvents\­Schemes\­Apps\­Explorer\­Navigating\­.Current]
    • "(Default)" = "."

Please enable Javascript to ensure correct displaying of this content and refresh this page.