Home / malware PWS:Win32/Lolyda.AF
First posted on 28 May 2009.
Source: SecurityHomeAliases :
PWS:Win32/Lolyda.AF is also known as Also Known As:Trojan-GameThief.Win32.OnLineGames.uyze (Kaspe, Trojan.Generic.1631080 (BitDefender).
Explanation :
PWS:Win32/Lolyda.AF is a component of Win32/Lolyda - a family of trojans that sends account information from popular online games to a remote server. They may also download and execute arbitrary files. PWS:Win32/Lolyda.AF has been distributed as a 32,153-byte DLL component, used for stealing information related to popular online games and a popular chat application.
Symptoms
System ChangesThe following system changes may indicate the presence of this malware:The presence of the following file:
%windir%fontsGTH60373.fon
PWS:Win32/Lolyda.AF is a component of Win32/Lolyda - a family of trojans that sends account information from popular online games to a remote server. They may also download and execute arbitrary files. PWS:Win32/Lolyda.AF has been distributed as a 32,153-byte DLL component, used for stealing information related to popular online games and a popular chat application.
Payload
Steals sensitive informationWhen loaded, PWS:Win32/Lolyda.AF tries to locate the file %windir%fontsGTH60373.fon , from where it
expects to find a list of encrypted URLs. It uses these URLs to send stolen information to. PWS:Win32/Lolyda.AF waits for a window named 'qqlogin.exe'. Once found it searches QQLogin.exe, TenQQAcount.dll, fmod.dll, and RS.dll game and chat program component memory spaces for user-related and game-specific information. It also retrieves information from 'UserSetting.ini' related to the following sections within the initialization file: PASSSERVERPIN1PINCODE1PIN2PICODE2PIN3PICODE3 It sends captured information to the remote hosts specified in the file %windir%fontsGTH60373.fon . It uses a shared section, named 'shard', inside its own process space for inter-process communication with the other trojan's components.Additional informationFor more information on Win32/Lolyda, please see the family description, elsewhere in our encyclopedia.
Analysis by Oleg PetrovskyLast update 28 May 2009
