Threat behavior
PWS:Win32/Lolyda.AG is detection for a password stealing trojan that steals account information from popular online games and sends the captured details to a remote server.
Installation
When executed, PWS:Win32/Lolyda.AG drops a trojan component having a random file name such as the following:
<system folder>\GTH88450.dll - contains instructions to steal game related information
The trojan replaces a system file (comres.dll), which is commonly loaded by online game clients. with a copy of itself. The trojan first copies "<system folder>\comres.dll" to "<system folder>\sysgth.dll". Then it disables SFC (aka Sytem File Checker) for comres.dll and replaces this file with a dropped copy. The replaced copy loads the trojan component, for example, <system folder>\GTH88450.dll.
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
Payload
Steals Online Game Information
PWS:Win32/Lolyda.AG attempts to search the affected computer's memory in order to locate running processes of several popular online games (such as "QQGame"). It does this in order to find particular information, such as the following:
Username
Password
Server Address
Character Information
This information is posted to a remote server for collection by an attacker.
Additional Information
PWS:Win32/Lolyda.AG also hooks system APIs and patches the targeted online game's client process in memory. These hooks may prevent normal communication between the game client and the game server.
Analysis by Chun Feng
Prevention
