According to Jozsef Gegeny and Jose Miguel Esparza, the two S21Sec researchers that discovered Tatanga, as the malware is known, it has been coded in C++ and is organised into modules with different functionalities that can be decrypted into and out of RAM as required.
So far, the researchers say that the trojan has been seen as targeting online banking users in Germany, Portugal, Spain and the UK.
"Like SpyEye, it can perform automatic transactions, retrieving the mules from a server and spoofing the real balance and banking operations of the users", the researchers said in their latest security blog.
The bad news, the researchers added, is that the detection rate for the malware is very low, and only a few AV engines are capable of spotting its presence.
S21Sec reports that Tatanga is sophisticated but, occasionally, its files are visible.
"Like other trojans of this kind, it uses an encrypted configuration file. This file is in XML format and has an element for each affected country", say the researchers.
"Depending on the targeted bank, the trojan can passively grab the credentials or ask for more in order to make the fraudulent transaction in the user session", the researchers claim.
Reporting on the trojan, the Softpedia newswire says that a run-through on the signature-based Virus Total scan site reveals that only 9 in 43 anti-virus engines currently detect the infector as malicious and most of them do it under generic names.
"Microsoft calls it Trojan:Win32/Mariofev.B and has first added detection for it on September 03 2010. However, the definition was updated a week ago, probably to account for new variants", notes the newswire.
When active, Tatanga is said to link into explorer.exe and can inject HTML in Internet Explorer, Mozilla Firefox, Google Chrome, Opera, Minefield (Firefox dev builds), Maxthoon, Netscape, Safari and Konqueror - basically every popular browser.