PWS:Win32/Lolyda.AW is a member of the
Win32/Lolyda family of trojans. This family steals account information from popular online games and sends it to a remote server.
PWS:Win32/Lolyda.AW is a DLL file that is usually dropped and installed by other malware. It is installed as a BHO (Browser Helper Object) and is capable of searching the memory of running processes for particular information.
Installation
In the wild, PWS:Win32/Lolyda.AW is known to be dropped by
TrojanDropper:Win32/Lolyda.F in the Windows system folder as a hidden DLL with a randomly-generated file name.
TrojanDropper:Win32/Lolyda.F modifies the registry to ensure that PWS:Win32/Lolyda.AW is loaded by the "explorer.exe" process, for example:
Add value: "(default)"
With data: "<system folder>\ar12a899dll.dll" (where "ar12a899dll.dll" is the randomly-generated name of PWS:Win32/Lolyda.AW)
To subkey: HKLM\SOFTWARE\Classes\CLSID\{5A041F13-A111-12A8-B0CF-F99818AA68A5}\InProcServer32
Add value: "{5A041F13-A111-12A8-B0CF-F99818AA68A5}"
With data ""
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHook
TrojanDropper:Win32/Lolyda.F also registers PWS:Win32/Lolyda.AW as a Browser Helper Object (BHO), for example:
Add value: "(default)"
With data: "<system folder>\ar12a899dll.dll"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5A041F13-A111-12A8-B0CF-F99818AA68A5}
Payload
Steals user information
PWS:Win32/Lolyda.AW searches the running process memory of several online games to find particular information, such as the following:
- User name
- Password
- Server address
- Character information
Any stolen information is then sent to a remote server.
Additional Information
During installation of PWS:Win32/Lolyda.AW, TrojanDropper:Win32/Lolyda.F deletes the Windows system utility "verclsid.exe" (Extension CLSID Verification Host), a utility used by Windows to validate shell extensions before they are loaded by Windows Explorer.
Analysis by Chun Feng
