PWS:Win32/Lolyda.BF collects user and computer information and sends this to its remote server. It may also monitor network activity on the infected computer in order to steal user credentials.
It is capable of disabling security services and terminating security processes.
Installation
PWS:Win32/Lolyda.BF can be dropped into the %TEMP% or %ROOT% directories as LOGO.EXE, CAP.EXE or a random file name.
Note: %TEMP% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Temporary folder for Windows 2000, XP and NT is C:\DOCUME~1\<user>\LOCALS~1\Temp; and for Vista, and 7 is C:\Users\<user name>\AppData\Local\Temp, and %root% is c:\ in most systems.
When executed, it drops a copy of itself as %TEMP%\<random numbers>.dat, for example %TEMP%\1306574566.dat.
It may also rename the following files:
- From <system folder>\ksuser.dll to <system folder>\YUksuser.dll
- From <system folder>\midimap.dll to <system folder>\YUmidimap.dll
- From <system folder>\comres.dll to <system folder>\YUcomres.dll
It may then drop the DLL malware component files to the following locations:
- <system folder>\dllcache\ksuser.dll
- <system folder>\dllcache\midimap.dll
- <system folder>\dllcache\comres.dll
This technique will replace the legitimate files ksuser.dll, midimap.dll and comres.dll with the malware's component files the moment an application loads the DLLs.
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
It also drops a component file in the following directory:
- <system folder>\sysapp<random number>.dll
Payload
Disables security service
PWS:Win32/Lolyda.BF has been observed performing command line instructions in order to stop and disable the 'cryptsvc' service.
Terminates security processes
PWS:Win32/Lolyda.BF searches for, and if found terminates the following processes:
It also terminates process containing the following module:
Steals sensitive information
PWS:Win32/Lolyda.BF collects user and computer information, such as the computer name, user name and MAC address (Media Access Control address), and sends this to a remote attacker.
It also monitors the system desktop and may take a screenshot of the infected computer, and send this to its remote server.
At the time of writing, the details of the remote attacker were not available.
It also monitors the system processes by checking all information the process sends and receives over the Internet. For online gaming applications, the malware flags network communication containing the following keywords:
-
level
-
gold_coin
-
balance
-
cash
Additional information
It constantly checks for updates and configuration from its remote server. The remote server is specified in its configuration file, and is saved in <malware directory>\data\config.ini.
Analysis by Zarestel Ferrer