Threat behavior
PWS:Win32/Lolyda.AT is from a family of trojans that steals account information from popular online games and sends it to a remote server.
Installation
When executed, PWS:Win32/Lolyda.AT drops a DLL with a randomly-generated file name into the Windows system folder. It then modifies the registry to ensure that it is loaded by the 'explorer.exe' process, for example:
Add value: "(default)"
With data: "<system folder>\perrgx5dkqsbqdwaucrqh.dll"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{51716C09-6B08-4CCF-B526-718E912C0573}\InProcServer32
Add value: "{51716C09-6B08-4CCF-B526-718E912C0573}"
With data ""
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHook
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
Payload
Steals online game information
PWS:Win32/Lolyda.AT attempts to search the running process memory of several online games to find particular information, such as the following:
- User name
- Password
- Server address
- Character information
This information is then collected and sent to a remote server.
Takes screenshots
PWS:Win32/Lolyda.AT periodically checks whether the foreground Window title contains the following strings:
If found, it takes a screen snapshot as a JPEG image file saved in the Windows Temporary Files folder. It then sends the file to remote server. This action is done to steal the "password protector" (Question & Answer) picture file used by online games.
Terminates processes
PWS:Win32/Lolyda attempts to terminate the process whose MD5 hash value for the process name is included in a certain list.
Additional Information
PWS:Win32/Lolyda.AT also hooks the following APIs and modifies the targeted online game's client process memory. These hooks may prevent normal communication between the game client and the game server:
Analysis by Chun Feng
Prevention
