According to them, the Trojan modifies at least one of the basic DirectX files such as DirectDraw, Direct3D or DirectSound. Consequently, the Trojan installs when Windows runs the modified Dx (DirectX) driver. Since Dx is normally utilized when online games are played, it implies that this dangerous Trojan becomes active when players download a computer game, and when the game is terminated, it deactivates itself.

Webroot discloses that the installer plants one or more keylogger component randomly named DLL (Dynamic-link Library) in c:\windows\system. After the installation of keylogger, it modifies at least one DirectX file. Every changed DirectX file is utilized for installing a single keylogger payload. This implies that in case the installer plants 4 keyloggers, it will change 4 DirectX files as well.

In addition to stealing keystrokes, the Trojan captures screenshots of everything on the computer-screen. During this time, when the Trojan is active, it packages all the things in a .cab folder and subsequently uploaded to a remote server. After the analysis of the components of the Cashcab keylogger, it can be said that the Trojan targets various popular Massively Multiplayer Online (MMO) games like World-of-Warcraft of Blizzard and Aion of NCSoft, the researchers note.

However, despite no anti-virus software installed on the PC of a player, it is still possible to detect the infection on the system, said the researchers.

Consequently, Webroot explains that users can easily identify whether this horrible malware is residing inside their systems or not by executing Microsoft's Dx Diagnostics software, packaged with Windows. During the execution, it is necessary to input information inside a tiny checkbox placed downwards. If the line, which suggests the absence of a driver alternatively the digital signature of Microsoft, is there, it will imply that the user has the Trojan virus on his computer.

Nevertheless, it can be removed with the user just loading up-to-date DirectX version replacing the one contaminated, following which the offensive malware will disappear.