Malware in this family often is disguised as an image file or as legitimate software. When the user opens the malware, it shows an image or window that does not contain actual content. The malware then extracts a file, contained inside of it, to a temporary folder. This file (in most cases, a keylogger) is added by the malware to the list of programs automatically launched by the operating system during startup.
Geographical distribution of attacks by the Trojan.MSIL.Disfa family
Geographical distribution of attacks during the period from 14 March 2015 to 14 March 2016
Top 10 countries with most attacked users (% of total attacks)
* Percentage among all unique Kaspersky users worldwide who were attacked by this malware