This Trojan arrives on a system as a file dropped by other malware or as a downloaded file from a certain Web site.
When executed, it downloads an encrypted configuration file from and is saved as %System%\wsnpoem\audio.dll.
(Note: %System% is the Windows system folder, which is usually C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Once decrypted, the downloaded configuration file contains the following financial-related Web sites which this spyware monitors:

• http://wellsfargo.com
• http://citibank.com
• http://www.caixa.gov.br
• http://www.e-gold.com
• https://www.us.hsbc.com

Note that the contents of the file, hence the list of Web sites to monitor, may change any time.
When a user attempts to access any of the monitored sites in the configuration file, it captures user input (specifically those entered in the input boxes designed for usernames and passwords) and saves it in one of its dropped .DLL component files.
This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.
The gathered information is then sent to http://{BLOCKED}sia.name/s.php via HTTP POST.


More...