This Trojan arrives on a system as a file dropped by other malware or as a downloaded file from a certain URL.

Upon execution, this Trojan drops a copy of itself in the Windows system folder.

It creates a certain folder with its attributes set to System and Hidden to prevent users from discovering and removing its components.

The said folder contains certain non-malicious files used to save the configuration information found in the downloaded configuration file and to save the stolen gathered information.

It creates and modifies registry key(s) and entry(ies).

It creates a mutex to ensure that only one instance of itself is running in memory.

This Trojan downloads an encrypted configuration file from a certain URL and is saved using a certain file name.

Once decrypted, the downloaded configuration file contains banking-related Web sites which this Trojan monitors. Note that the contents of the file, hence the list of Web sites to monitor, may change any time.

This Trojan also creates a remote thread to inject itself into a certain legitimate process to stay memory resident. This routine enables this Trojan to run even when the system is in safe mode.

It attempts to retrieve information from banking-related institutions.

It attempts to steal sensitive online banking information. When a user attempts to access any of the monitored sites in the configuration file, it captures user input (specifically those entered in the input boxes designed for user names and passwords) and saves it in a certain file. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

The gathered information is stored in the affected system and then sent to a certain URL via HTTP POST.

It checks for the presence of certain processes which are related to Outpost Personal Firewall and ZoneLabs Firewall Client. It terminates if either of the said processes exist. This is to ensure that the malware will run uninterrupted.



More...