Overall risk rating:

Reported detections:

System  impact:

Information exposure:

Description:

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious Web sites.

It drops a copy of itself. It also creates registry entry to enable its automatic execution during system startup.

It monitors the Internet Explorer activities of the affected system, specifically the address bar. It recreates the legitimate Web site with a spoofed login page if a user visits banking Web sites. This tricks the user into giving out sensitive account-related information. It logs keystrokes entered by the user in the user name and password fields of the spoofed login page.

This spyware also attempts to retrieve information related to certain banking-related institutions. It also attempts to steal sensitive online banking information related to the aforementioned sites. It then saves the gathered information to a root folder and uploads gathered information to a Web site using HTTP post.

It checks for the presence of the following processes which, are related to Outpost Personal Firewall and ZoneLabs Firewall Client:

• outpost.exe
• zlclient.exe

It terminates if either of the said processes exist. This is to ensure that the spyware will run uninterrupted.

It has rootkit capabilities, which enables it to hide its processes and files from the user.

For additional information about this threat, see:
Solution
Technical Details