It is targeted at ATM machines made by a major manufacturer, running a 32-bit embedded Windows operating system, and it is smart enough to hide itself using several tactics.
What is interesting is Kaspersky cited security camera footage at locations of infected ATM machines that show a bootable CD was used to infect them. It transfers the malware to the device, performs some checks and then edits the registry to boot the malware, which then interacts with ATM through the standard library MSXFS.dll. which Kaspersky informs readers is “Extension for Financial Services (XFS).”
It then runs in an infinite loop waiting for user input, but it will only accept commands by default on Sunday and Monday nights. It accepts multiple commands from an operator, who then must press the Enter button the keypad to proceed. Another clever trick is clearly intended at making it so only the right people can manipulate the machine, by requiring that a session key be entered.
It uses a random seed for every session which is displayed on screen, and the operator needs to know the algorithm to generate a session key based on this random seed. If all goes right, the operator can now do some things you wish you could do at an ATM, like entering a cassette number and having the ATM dispense 40 banknotes from it.
Check out a video demonstration.