Home / malwarePDF  

PWS:Win32/Lolyda.X


First posted on 16 March 2009.
Source: SecurityHome

Aliases :

PWS:Win32/Lolyda.X is also known as Also Known As:Win-Trojan/OnlineGameHack.25088.CS (AhnLab), Win32/PSW.OnLineGames.NST (ESET), Win32/GamePass.SL (CA), Trojan-Spy.Win32.Small.bzn (Kaspersky), PWS-OnlineGames.da (McAfee), Infostealer.Onlinegame (Symantec).

Explanation :

PWS:Win32/Lolyda.X is a member of a family of trojans that steals account information from the online game "Eudemons Online" and sends it to a remote server.

Symptoms
There are no obvious symptoms that indicate the presence of this malware on an affected machine.

PWS:Win32/Lolyda.X is a member of a family of trojans that steals account information from the online game "Eudemons Online" and sends it to a remote server.

Installation
When executed, PWS:Win32/Lolyda.X drops a DLL with a randomly generated filename to the System folder and modifies the registry to ensure that it is loaded by explorer.exe. For example: Add value :(default)"
With Data "<system folder>pempmpdn.dll"
To subkey HKLMSOFTWAREClassesCLSID{9E6969D7-DFC3-4F71-8515-8F22D0FB07D5}InProcServer32 Add value:{9E6969D7-DFC3-4F71-8515-8F22D0FB07D5}"
With data ""
To subkey HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHook It then drops a batch file that it uses to remove itself and the batch file. Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. Payload Steals Online Game Information
PWS:Win32/Lolyda.X attempts to search the running process memory of the game "Eudemons Online" in order to find particular information, such as the following:

  • Username
  • Password
  • Server Address
  • Character Information
    • This information is posted to a remote server. Examples of servers observed being used in the wild include the following:
  • 123sb123.com
  • 888812356.com
    • Additional InformationPWS:Win32/Lolyda.X also hooks the following APIs. These hooks may prevent normal communication between the game client and the game server:
  • send
  • CreateProcessA


    • Analysis by Chun Feng

    Last update 16 March 2009

     

    TOP

    Malware :

    Family: