PWS:Win32/Lolyda.B is a family of trojans that send account information from popular online games to a remote server. They may also download and execute arbitrary files.
Installation
PWS:Win32/Lolyda.B typically installs itself by dropping two DLLs, placing copies of both of these in both the %temp% and System directories.
Examples of filenames being used in the wild for these DLLs include:
• D3D9_32.DLL and D3D9_64.DLL
• LYMANGR.DLL and MSDEG32.DLL
• shqmangr.dll and shq.dll
It also drops one configuration file to <system folder>\REGKEY.hiv, and copies itself to C:\Privilege.dat and <system folder>\LYLoader.exe.
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It uses information in <system folder>\REGKEY.hiv to create new registry entries. One variant has been observed to create the following:
Adds value: MSDEG32
With data: LYLoader.exe
Adds value: MSDWG32
With data: LYLoadbr.exe
Adds value: MSDCG32
With data: LyLoador.exe
Adds value: MSDOG32
With data: LyLoador.exe
Adds value: MSDSG32
With data: LyLoadar.exe
Adds value: MSDMG32
With data: LyLoadmr.exe
Adds value: MSDHG32
With data: LyLoadhr.exe
Adds value: MSDQG32
With data: LyLoadqr.exe
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
These modifications are an attempt to ensure that programs with these names run every time Windows starts.
It then injects code to call the dropped DLLs into "services.exe" and "explorer.exe".
Payload
Downloads and Executes Arbitrary Files
When run, the malware makes a UDP connection to a remote server, from which it may download additional files. These files are saved to disk and then executed.
Servers observed to be in use in the wild include the following:
61.191.56.153
222.169.224.183
Steals Online Game Information
PWS:Win32/Lolyda examines the window titles of other running processes, searching for titles and executables used by popular online role playing games. If any are found, the trojan injects code into these processes to attempt to obtain password and other account information from these games.
Several variants have been observed to target the file "my.exe" from the Chinese game "Fantasy Westward Journey".
Another variant has been observed to target other files or windows, including the following:
Pirate King Online (targeted by window title)
elementclient.exe (Perfect World)
cq.exe (Spring and Autumn – CQ online)
gameclient.exe (CGA)
Conquer.exe (Conquer)
gc.exe (GhostWar)
metin2.bin (Metin 2)
HYO.exe (HY Online)
china_login.mpr and Login.dll (PCIK)
WndMgr.dll, WndSys.dll, ThingClassFactory.dll and thing.dll (HX Online)
Engine.dll, HyNetHandle.dll, XInterface.dll, Core.dll, HYGUI.dll (Lineage II)
mssdsp.flt
dump.dll
It also targets a number of other files by determining whether their MD5 hash values appear on a specified list.
This information is posted to a server. Examples of servers observed to be in use in the wild include:
Analysis by Marian Radu
