Threat behavior
PWS:Win32/Lolyda.AM is a detection for a password stealing trojan that steals account information from popular online games and sends the captured details to a remote server.
Installation
PWS:Win32/Lolyda.AM is dropped by other
Win32/Lolyda components.
Payload
Steals online game information
PWS:Win32/Lolyda.AM attempts to patch processes running in memory of several online games (for example, AskTao) to find information such as the following:
Username
Password
Server Address
Character Information
This information is posted to a remote server for collection by an attacker.
Captures screenshots
PWS:Win32/Lolyda.AM may take a screen snapshot as a bitmap (.BMP) image file saved in the Windows temporary files folder. It then sends the file to a remote server. This action is done to steal the "password protector" (question and answer) picture file used by online games.
Analysis by Chun Feng
Prevention
