The trojan installs a keylogger to sniff; and a BHO (Browser Helper Object) for Internet Explorer to be able to inject content into web pages. This content is defined in a configuration file which has drastically changed since the last version we looked at.
Now, the configuration file does not contain any external links to phishing pages anymore. So to injecting content into a web page, the local configuration is used and no external domains need to be contacted.
The actual version creates different files which can mostly found in the %System% folder (c:windowssystem32 in WinXP). The current .dll used as BHO is called jetaccs.dll and can be seen with HijackThis from Trendmicro.
Sniffed data is stored in %System%alog.txt. After restarting the browser this file is send to the c&c server and gets deleted afterward.
A fast test confirmed the first guess, accounts from gmail don’t get sniffed, whereas account data from e.g. gmx.net (not found in the configuration file) gets collected. The reason for this exclusion is not clear until now.
To manually disinfect a computer, HijackThis can be used to disable the BHO. %System%jetaccs.dll has to be renamed and can be deleted after a reboot.