Home / malware PWS:Win32/Lolyda.Y
First posted on 16 March 2009.
Source: SecurityHomeAliases :
There are no other names known for PWS:Win32/Lolyda.Y.
Explanation :
PWS:Win32/Lolyda.Y is from a family of trojans that steals account information from popular online games and sends it to a remote server.
Symptoms
There are no obvious symptoms that indicate the presence of this malware on an affected machine.
PWS:Win32/Lolyda.Y is from a family of trojans that steals account information from popular online games and sends it to a remote server.
Installation
When executed, PWS:Win32/Lolyda.Y drops a DLL with a randomly generated filename to the System folder and modifies the registry to ensure that it is loaded by explorer.exe. For example:Add value: "(default)"
With data: "<system folder>lgpmlpgp.dll.dll"
To subkey" HKLMSOFTWAREClassesCLSID{50965909-B537-4466-897C-290A02F4BD1A}InProcServer32Add value:{50965909-B537-4466-897C-290A02F4BD1A}"
With data ""
To subkey HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHookIt then drops a batch file that it uses to remove itself and the batch file.Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32.
Payload
Steals Online Game Information
PWS:Win32/Lolyda.Y attempts to search the running process memory of several popular online games (such as "Eudemons Online" or "QQFFO") in order to find particular information, such as the following:Username Password Server Address Character Information This information is posted to a remote server.Additional InformationPWS:Win32/Lolyda.Y also hooks the following APIs and patches the targeted online game's client process memory. These hooks may prevent normal communication between the game client and the game server:send CreateProcessA
Analysis by Chun FengLast update 16 March 2009
