The carrier of the threat, "img1big.gif," poses as an image file, according to center, Bethesda, Md. The file is not an image at all, but a file-dropper Trojan composed of a pair of Win32 executable programs compressed together using the Open Source executable compressor UPX.
The trojan installs a Browser Helper Object (BHO) on Internet Explorer version 4.X and higher. One of the two sets of code performs the initial install, the other performs the BHO install. Once the BHO is up, it looks for secure access to the URLs of several dozen banking and financial sites around the globe and "grabs any outbound POST/GET data from within IE before it is encrypted by SSL," according to Storm Center handler John Bambenek.
The outbound data--including user names and passwords--is sent over an HTTP connection created by the Trojan to the address http://www.refestltd.com/cgi-bin/yes.pl.
The center recommends free software called BHODemon from Definitive Solutions to help administrators identify BHOs installed on Windows systems.