It is designed to steal usernames and passwords associated with a variety of popular websites such as YouTube, Google and PayPal, but also those linked to Chinese websites such as youku.com, tudou.com, sogou.com and soho.com. Taking that information together with the fact that the Trojan sends the stolen credentials to a server located in China, you can see why the researchers believe it coming from that country.
But, there is another thing that piqued their interest. Contrary to the typical behavior of Trojans who try to modify registry keys or take advantage of the autorun feature to ensure they will be run, this one looks for shortcuts located on the desktop or in special folders.
Then, it makes copies of itself and places them in the folders containing the linked files (often executables), renames those linked files into click_[original-file-name].exe and gives its copies the names of the originally linked files.
This way, every time a user clicks on a shortcut, it runs the Trojan. Also, in order to remain undetected as long as possible, the copies are instructed to run the renamed files after being executed themselves.