This backdoor arrives on a system as a file dropped by other malware or as a downloaded file from a malicious Web site.

It monitors the Internet Explorer activities of the affected system, specifically the address bar. If a user visits any of the monitored sites, this backdoor recreates the legitimate Web site with a spoofed login page. The said routine tricks the user into giving out sensitive account-related information. It logs keystrokes entered by the user in the user name and password fields of the spoofed login page. It then closes the legitimate Web site once the backdoor recreates it.

This backdoor attempts to steal user information of online bank and saves it in LOGFILE1.TXT file. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

It then sends the data it gathers to a public email address that uses smtp.terra.com.br domain server using its own Simple Mail Transfer Protocol (SMTP) engine.



More...