According to the article on eWeek.com, malware on each of the infected machines (running Windows XP) was installed and activated through a Borland Delhi RAD (Rapd Application Development) executable dropper file by the name of isadmin.exe. The dropper binary contains a Data Resource (RCDATA) named PACKAGEINFO that contains the actual malware. The dropper file is executed when the hacker inserts a fake ATM card with the malware trigger code into the machine. Once activated, the trigger code produces the malware file Isass.exe inside the C:\\WINDOWS directory of the compromised system.

The eWeek.com article reports that this particular ATM hacker vulnerability can be easily modified to target multiple ATM vendors and is making it’s way to other countries, including the US.