Overall risk rating:

Reported detections:

System  impact:

Information exposure:

Description:

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

Spyware Overview

This spyware arrives as attachment to email messages spammed by another malware or a malicious user. Here is a screenshot of the said message:

Upon execution, this spyware drops a copy of itself in the system folder as NTOS.EXE. It then appends extra codes at the end of file of the dropped copy to avoid easy detection.

It downloads an encrypted configuration file from a certain Web site. The said file contains banking-related URLs that this spyware will monitor in Internet browser address bars.

Once the user accesses any of the targeted Web site, this spyware logs keystrokes to steal account information from certain banking Web sites.

This spyware captures user input, specifically those entered in the boxes designed for user names and passwords, and saves it in a file.

This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

It sends gathered information to a certain remote site through HTTP POST.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jul 22, 2008