This malware arrives as a file downloaded from a certain URL.

Upon execution, it drops a copy of itself in the system folder. It creates a folder with attributes System and Hidden. It then creates the non-malicious files.

It injects itself into certain legitimate processes as part of its memory residency routine.

It attempts to access a Web site to download a file which contains information on where this malware can download an updated copy of itself, and where to send its stolen data. This configuration file also contains a list of targeted bank-related Web sites to monitor from which this malware steals information.

Once users access any of the monitored sites, this malware starts logging keystrokes. It attempts to retrieve information from Web sites of certain financial-related institutions, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

The information stolen by this malware is saved in a file and is then sent to a server via HTTP post.



More...