Montp.f is actually a rather clever virus.
When you connect into your bank or use webmail you are likely making a secure connection using SSL. You’ll notice a little “lock” icon down in the system tray and a https:// prefix up in the address field. That means that the traffic between you and them is encrypted so that no one can eavesdrop on it.
What you probably didn’t know is there are troubleshooting tools to allow you to see the traffic going by anyway. One way to do this is to set a couple of registry keys, and install a dll. Immediately you’ll start collecting a clear text log file containing all of the traffic.
This virus does something very similar. But once it collects the data, its not trying to help you. Of course not. It searches the collected data to see if you went to one of 74 bank websites along with some other websites that have passwords. If you have been to one of those sites it collects the relevant login information and sends that information to the author via the Internet.
That’s where this virus isn’t as clever. Attempting to upload to a static IP address is not going to work. Sites like these usually get shut down rather quickly.
The virus also attempts to kill processes for security related software (antivirus).
All in all, you’ve got to hand it to them for this one. Two thumbs up for the information collection feature. They’ve got to work on a better way to get the information back to themselves without being caught. I’ve got a few ideas on the subject. 🙂