This malicious HTML file may be hosted on a Web site and run when a user accesses the said Web site.

Once a user visits a site hosting this malware, it attempts to download a malicous file from http://www.{BLOCKED}d.com/ngg.js. The downloaded file is detected as JS_REDIR1.A.

As a result, routines of the downloaded file are also exhibited on the affected system.

This html may be hosted on a Web site and run when a user accesses the said Web site.

It accesses Web sites to download file(s). As a result, malicious routines of the downloaded files are exhibited on the affected system.

This worm drops copies of itself.
It drops files/components.

It creates registry entries to enable its automatic execution at every system startup.

It modifies registry entries to hide files with both System and Read-only attributes.

It drops copies of itself in all physical drives.
It drops copies of itself in all removable drives.
It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.

This worm may be dropped by other malware.
It may be downloaded unknowingly by a user when visiting malicious Web sites.
It may arrive as a .DLL file that exports functions used by other malware.

It requires other components in order to run properly.

This malware arrives on a system as a file dropped by other malware. It may also be installed manually by a user.

Upon execution, it drops a copy of itself and another file that contains its stolen information.

It monitors the Internet Explorer activities of the affected system. It logs keystrokes when a user accesses a Web site containing certain strings in its title bar.

It attempts to retrieve information from Web sites of certain banking institutions.

It gathers information by logging user keystrokes. It steals sensitive information, such as user names and passwords and saves it in a file. This routine risks the exposure of sensitive user information, which may then lead to the unauthorized use of the stolen data.

It sends its stolen information to a remote site via HTTP POST.

This backdoor may arrive bundled with malware packages as a malware component.

It opens an instance of Internet Explorer and injects its code to stay memory-resident.

This backdoor connects to an IP address. Once a connection is established, it allows a remote user to execute commands on the system, thus compromising system security. It also connects to the same IP address to send and receive information.