The hacker behind the trojan then receives a serie of pictures showing exactly where the user clicked:

malware-virtualkeyboard1.jpg

malware-virtualkeyboard2.jpg

VirusTotal also decyphers a list of banking sites monitored by the virus and explains how the malware does it.

From VirusTotal