This malware arrives on a system as a file dropped by other malware or as a downloaded file from a certain URL.

Upon execution, this malware drops a copy of itself in the Windows system folder and appends garbage code to the dropped copy to avoid easy detection.

It creates a folder with its attributes set to system and hidden to prevent users from discovering and removing its components.

It modifies a registry entry to enable its automatic execution at every system startup.

It downloads an encrypted configuration file from a certain URL. Once decrypted, the downloaded configuration file contains the a list of URLs related to banking Web sites which this malware monitors in address bars.

It attempts to steal sensitive online banking information. When a user attempts to access any of the monitored sites in the configuration file, it captures user input (specifically those entered in the input boxes designed for usernames and passwords) and saves it in a file. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.



More...