Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/Spy.Silon.AA is a trojan that steals passwords and other sensitive information. The trojan can send the information to a remote machine.
Installation
When executed the trojan drops in folder %system% the following file:
  • msjet51.dll
The following Registry entries are created:
  • [HKEY_CLASSES_ROOTCLSID
    {50D5107A-D278-4871-8989-F4CEAAF59CFC}]
    "(Default)" = "%system%msjet51.dll"
  • [HKEY_CLASSES_ROOTCLSID%variable%InprocServer32]
    "0" = %hex_value1%
A string with variable content is used instead of %variable% .

The trojan creates and runs a new thread with its own program code within the following processes:
  • iexplore.exe
Information stealing
Win32/Spy.Silon.AA is a trojan that steals passwords and other sensitive information.

The trojan collects the following information:
  • FTP account information
  • POP3 account information
  • Windows Protected Storage passwords and credentials
  • Internet Explorer version
  • list of recently opened/executed files
The trojan can send the information to a remote machine. The trojan contains a list of (3) URLs. The HTTP protocol is used.
Other information
The trojan is sent data and commands from a remote computer or the Internet.

It can execute the following operations:
  • download files from a remote computer and/or Internet
  • send files to a remote computer
  • run executable files
  • monitor network traffic
The trojan creates the following files:
  • %windir%Temp%variable%
A string with variable content is used instead of %variable% .

The trojan hooks the following Windows APIs:
  • InternetCloseHandle (Wininet.dll)
  • InternetQueryDataAvailable (Wininet.dll)
  • InternetQueryOptionA (Wininet.dll)
  • InternetReadFile (Wininet.dll)
  • InternetReadFileExA (Wininet.dll)
The trojan can delete cookies.

The trojan may set the following Registry entries:
  • [HKEY_CURRENT_USERAppEventsSchemesAppsExplorer
    Navigating.Current]
  • "(Default)" = "."