Overall risk rating:

Reported detections:

System  impact:

Information exposure:

Description:

This spyware arrives on a system as a file dropped by malware or as a file downloaded unknowingly by users when visiting malicious Web sites.

Upon execution, this spyware drops several files and creates a folder. It also modifies the HOSTS file. Modifications made to the HOSTS file result in redirecting the user to spoofed login page whenever any of the monitored Web sites are accessed.

It tracks the Web browsing activities on the affected system, specifically monitoring the title bar. It displays a spoofed login page if a user visits any legitimate banking site with certain strings. The spoofed login window overlaps the legitimate login area of the Web site, thus tricking the user into thinking that it is part of the Web browser window. The spoofed login page is located in a fixed area of the legitimate Web site.

The said routine tricks the user into giving out sensitive account-related information. It logs keystrokes entered by the user in the user name and password fields of the spoofed login page. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

This spyware then sends its gathered data to remote servers via HTTP POST. Gathered information may also be stored in the IP address where the spoofed page is hosted. It may also send gathered information to email addresses via its SMTP engine.

For additional information about this threat, see:
Solution
Technical Details