Threat behavior
PWS:Win32/Lolyda.BE is a detection for a password stealing trojan that steals account information from popular online games and sends the captured details to a remote server.
Installation
PWS:Win32/Lolyda.BE is dropped by other Win32/Lolyda components as a randomly named file, similar to the following:
<6 - 7 random numbers>n05.dll
Payload
Steals online game information
PWS:Win32/Lolyda.BE attempts to patch processes running in the memory of several online games (for example, AskTao) to find information such as the following:
- Username
- Password
- Server address
- Character information
This information is posted to a remote server on the "szlb168.com"domain for collection by an attacker.
Captures screenshots
PWS:Win32/Lolyda.BE may take a screen snapshot as a bitmap (.BMP) image file and save it to the Windows Temporary Files folder. It then sends the file to a remote server. This action is done to steal the "password protector" (question and answer) picture file used by online games.
Terminates processes
PWS:Win32/Lolyda.BE may also terminate the following processes:
- 360SE.exe
- TheWorld.exe
- TTraveler.exe
The malware will also look for a window with the name 'TT_WebCtrl' and terminate the process which owns it.
Analysis by Matt McCormack
Prevention
