When the Trojan is executed, it drops the following file:
Next, the Trojan infects the following file:
The infected imm32.dll file is used to load the dropped .dll file into a browser process space when either of the following processes start:
- Internet Explorer
- Mozilla Firefox
The Trojan then steals online banking information by hooking API functions in the browser process that allow it to monitor network traffic.
It may upload the stolen information to one of the following remote locations:
The Trojan also periodically downloads an encrypted configuration file from one of the following remote locations:
The configuration file contains the following instructions that the Trojan uses when monitoring network traffic:
- Capture GET request
- Capture POST request
- Capture page data for specified URLs
The targeted URLs are related to online banking sites.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":