Follow:

 

PWS:Win32/Lolyda.BF


PWS:Win32/Lolyda.BF collects user and computer information and sends this to its remote server. It may also monitor network activity on the infected computer in order to steal user credentials.


What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

PWS:Win32/Lolyda.BF collects user and computer information and sends this to its remote server. It may also monitor network activity on the infected computer in order to steal user credentials.

It is capable of disabling security services and terminating security processes.

Installation

PWS:Win32/Lolyda.BF can be dropped into the %TEMP% or %ROOT% directories as LOGO.EXE, CAP.EXE or a random file name.

Note: %TEMP% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Temporary folder for Windows 2000, XP and NT is C:\DOCUME~1\<user>\LOCALS~1\Temp; and for Vista, and 7 is C:\Users\<user name>\AppData\Local\Temp, and %root% is c:\ in most systems.
 
When executed, it drops a copy of itself as %TEMP%\<random numbers>.dat, for example %TEMP%\1306574566.dat.

It may also rename the following files: 

  • From <system folder>\ksuser.dll to <system folder>\YUksuser.dll
  • From <system folder>\midimap.dll to <system folder>\YUmidimap.dll
  • From <system folder>\comres.dll to <system folder>\YUcomres.dll

It may then drop the DLL malware component files to the following locations:

  • <system folder>\dllcache\ksuser.dll
  • <system folder>\dllcache\midimap.dll
  • <system folder>\dllcache\comres.dll

This technique will replace the legitimate files ksuser.dll, midimap.dll and comres.dll with the malware's component files the moment an application loads the DLLs.

Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

It also drops a component file in the following directory:

  • <system folder>\sysapp<random number>.dll
Payload

Disables security service

PWS:Win32/Lolyda.BF has been observed performing command line instructions in order to stop and disable the 'cryptsvc' service.

Terminates security processes

PWS:Win32/Lolyda.BF searches for, and if found terminates the following processes:

  • 360TRAY.EXE
  • RSTRAY.EXE

It also terminates process containing the following module:

  • ASKTAO.MOD

Steals sensitive information

PWS:Win32/Lolyda.BF collects user and computer information, such as the computer name, user name and MAC address (Media Access Control address), and sends this to a remote attacker.

It also monitors the system desktop and may take a screenshot of the infected computer, and send this to its remote server.

At the time of writing, the details of the remote attacker were not available.

It also monitors the system processes by checking all information the process sends and receives over the Internet. For online gaming applications, the malware flags network communication containing the following keywords:

  • level
  • gold_coin
  • balance
  • cash
Additional information

It constantly checks for updates and configuration from its remote server. The remote server is specified in its configuration file, and is saved in <malware directory>\data\config.ini.

Analysis by Zarestel Ferrer


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:

    LOGO.EXE
    CAP.EXE
    YUksuser.dll
    YUmidimap.dll

Prevention


Alert level: Severe
First detected by definition: 1.99.358.0
Latest detected by definition: 1.185.294.0 and higher
First detected on: Mar 01, 2011
This entry was first published on: Mar 01, 2011
This entry was updated on: Jun 14, 2011

This threat is also detected as:
  • Win-Trojan/Infostealer.3258525 (AhnLab)
  • Trojan-GameThief.Win32.OnLineGames.xquv (Kaspersky)
  • Trojan.PWS.Gamania.origin (Dr.Web)
  • Trojan-GameThief.Win32.Frethoq (Ikarus)
  • PWS-OnlineGames.hi.gen.a (McAfee)
  • Trojan.PSW.Win32.DNFOnLine.bl (Rising AV)
  • TROJ_RVERSE.SMI (Trend Micro)