Overall risk rating:

Reported detections:

System  impact:

Information exposure:

Description:

This spyware may be downloaded from remote sites by other malware.

It monitors the Internet Explorer activities of the affected system, specifically the title bar. It recreates a legitimate Web site with a spoofed login page if a user visits banking sites with certain strings in the title bar.

The spoofed login overlaps the legitimate login area of the Web site, thus tricking the user into thinking that it is part of the IE window. The spoofed login page is located in a fixed area of the legitimate Web site. The said routine tricks the user into giving out sensitive account-related information. It then logs keystrokes entered by the user in the user name and password fields of the spoofed login page.

It sends gathered information to a predetermined email address using its own Simple Mail Transfer Protocol (SMTP) engine.

This spyware accesses URLs to download text files that contain information on the email messages it sends out.

Below is a screenshot of the sample e-card that it sends out:

When a user clicks on the image, it downloads a file that is detected by Trend Micro as TROJ_BANLOAD.EKG.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jul 22, 2008

Revision history: Jul 24, 2008 - Modified Spyware Report