To get a one-glance comprehensive view of the behavior of this spyware, refer to the Threat Diagram shown below.

Spyware Overview

This spyware arrives as a file downloaded from a remote URL.

Upon execution, it drops a copy of itself in the system folder. It creates a folder with attributes System and Hidden, where it drops non-malicious files.

It creates/modifies registry entries to enable its automatic execution at system startup. It injects itself into the legitimate processes as part of its memory residency routine.

It attempts to access a Web site to download a file. The said file contains information where the spyware can download an updated copy of itself, and where to send its stolen data. This configuration file also contains a list of targeted bank-related Web sites from which it steals information.

Note that the contents of the file, hence the list of Web sites to monitor, may change any time. Once users access any of the monitored sites, it starts logging keystrokes. It attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

The stolen information is saved in the file, then sent to a remote server.