Win32/Lolyda

Win32/Lolyda is a family of trojans that sends account information from popular online games to a remote server. They may also download and execute arbitrary files.

System Changes

• Presence of the following files:
  %temp%\lyloader.exe
  %windir%\dxtmechk
  <system folder>\REGKEY.hiv
  %temp%\D3D9_32.DLL
  %temp%\D3D9_64.DLL
  <system folder>\D3D9_32.DLL
  <system folder>\D3D9_64.DLL
  %temp%\LYMANGR.DLL
  %temp%\MSDEG32.DLL
  <system folder>\LYMANGR.DLL
  <system folder>\MSDEG32.DLL
  %temp%\shqmangr.dll
  %temp%\shq.dll
  <system folder>\shqmangr.dll
  <system folder>\shq.dll
• Presence of the following registry modifications:
  To key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
  Adds value: DXDLG32
  With data: DXDLG.exe
  Adds value: MSDCG32
  With data: LyLeador.exe
  Adds value: MSDHG32
  With data: LyLoadhr.exe
  Adds value: MSDMG32
  With data: LyLoadmr.exe
  Adds value: MSDOG32
  With data: LyLoador.exe
  Adds value: MSDQG32
  With data: LyLoadqr.exe
  Adds value: MSDSG32
  With data: LyLoadar.exe
  Adds value: MSDWG32
  With data: LyLoadbr.exe

Win32/Lolyda is a family of trojans that send account information from popular online games to a remote server. They may also download and execute arbitrary files.

Recent variants of PWS:Win32/Lolyda install by copying themselves to <system folder>\HBmhly.exe and then deleting the originating executable. They also install a file to <system folder>\drivers\HBKernel.sys as a kernel driver service named “HBKernel”. This contains the payload of the malware. If the installer file is unable to communicate with the driver, it instead executes the malware’s payload itself and creates the following registry entry:
To key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value:  HBmhly
With data: “<system folder>\HBmhly.exe –r”

 

This ensures that it will attempt to recreate the kernel driver service upon system startup.

 

Earlier variants of PWS:Win32/Lolyda typically install themselves by dropping a file to %temp%\lyloader.exe and then executing this file. 
 
Win32/Lolyda initially deletes the original installer file, then drops two DLLs, placing copies of both of these in both the %temp% and System directories.

 

Examples of filenames being used in the wild for these DLLs have included:
• D3D9_32.DLL and D3D9_64.DLL
• LYMANGR.DLL and MSDEG32.DLL
• shqmangr.dll and shq.dll

 

It also drops two further configuration files to %windir%\dxtmechk and <system folder>\REGKEY.hiv, and copies itself to C:\Privilege.dat and <system folder>\DXDLG.exe.

 

It uses information in <system folder>\REGKEY.hiv to create new registry entries. One variant was observed to create the following

 

To key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Adds value: DXDLG32
With data: DXDLG.exe
Adds value: MSDCG32
With data: LyLeador.exe
Adds value: MSDHG32
With data: LyLoadhr.exe
Adds value: MSDMG32
With data: LyLoadmr.exe
Adds value: MSDOG32
With data: LyLoador.exe
Adds value: MSDQG32
With data: LyLoadqr.exe
Adds value: MSDSG32
With data: LyLoadar.exe
Adds value: MSDWG32
With data: LyLoadbr.exe

 

These modifications are an attempt to ensure that programs with these names run upon system startup.

 

It then injects code to call the dropped DLLs into services.exe and explorer.exe.

Downloads and Executes Arbitrary Files

When run, the malware makes a UDP connection to a remote server, from which it may download additional files. These files are saved to disk and then executed.

 

Servers observed to have been used in the wild include the following:

 

Steals Online Game Information

Win32/Lolyda examines the window titles of other running processes searching for titles and executables used by popular online role playing games. If any are found, the trojan injects code into these processes to attempt to obtain password and other account information from these games.

 

Several variants were observed to target the file 'my.exe' from the Chinese game 'Fantasy Westward Journey'.

 

An earlier variant was observed to target many other files or windows, including the following:

 

It also targeted a number of other files by determining whether their MD5 hash values appear on a specified list.

 

This information is posted to a server. Examples of servers observed to be used in the wild have included:

 

Analysis by David Wood

Take the following steps to help prevent infection on your system:

Enable a firewall on your computer

1. Click Start, and click Control Panel.
2. Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
3. Click Change Windows Firewall Settings.
4. Select On.
5. Click OK.

1. Click Start, and click Control Panel.
2. Click Security.
3. Click Turn Windows Firewall on or off.
4. Select On.
5. Click OK.

Get the latest computer updates

1. Click Start, and click Control Panel. 
2. Click System.
3. Click Automatic Updates.
4. Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.

Use up-to-date antivirus software

Use caution with attachments and file transfers

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft online scanner (http://safety.live.com). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.