This spyware may be downloaded from remote sites by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.

It creates folders. It drops copies of itself. It is injected into processes running in memory.

It modifies registry entries to enable its automatic execution at every system startup. It also creates registry key(s)/entry(ies) as part of its installation routine.

It attempts to access a Web site to download a file which contains information where the spyware can download an updated copy of itself, and where to send its stolen data. This configuration file also contains a list of targeted bank-related Web sites from which it steals information.

It accesses a remote site to download its configuration file. However, as of this writing, the said sites are inaccessible.

It creates mutex(es) to ensure that only one instance of itself is running in memory.