HOME > VIRUS ALERTS


VIRUS ALERTS

PWS:Win32/Lolyda

Original issue date: November 10, 2008

Win32/Lolyda is a family of trojans that steal details relating to various MMORPGs (Massively Multiplayer Online Role-Playing Game) such as Fantasy Westward Journey, The Warlords and Zero Online. It has been distributed as a 16,697-byte, UPACK-packed Win32 executable.

Win32/Lolyda examines the window titles of other running processes searching for titles and executables used by online role playing games If any are found, the trojan injects code into these processes to attempt to obtain password and other account information from these games., and sends this stolen data to a remote server.

Aliases

Infostealer.Lineage (Symantec),
Cryp_Mangled(Trend)
Trojan-GameThief.Win32.OnLineGames (Kaspersky)

Upon execution the trojan variants:

  • drop the following files onto the system:
    • %System%\drivers\HBKernel.sys ( detected as PWS:Win32/Lolyda.I )
    • %System%\lyloader.exe
    • %System%\lymangr.exe
    • %System%\msdeg32.exe
    • %System%\mhxy.exe
    • %Temp%\lyloader.exe
    • %Temp%\lymangr.exe
    • %Temp%\msdeg32.exe
    • %Temp%\tru2068.tmp - copy of "mhxy.exe"
    • %System%\HBmhly.dll
    • %Temp%\OPE206A.bat

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
    policies\Explorer\Run\
    MSDEG32 = "LYLoader.exe"
    MSDWG32 = "LYLoadbr.exe"
    MSDCG32 = "LYLeador.exe
    MSDOG32 = "LYLoador.exe"
    MSDSG32 = "LYLoadar.exe"
    MSDMG32 = "LYLoadmr.exe"
    MSDHG32 = "LYLoadhr.exe"
    MSDQG32 = "LYLoadqr.exe"

  • [HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
    Windows]
    AppInit_DLLs = "aaa.dll,HBmhly.dll"

  • log keystrokes in an attempt to steal information (such as usernames and passwords) relating to various online games such as Fantasy Westward Journey, The Warlords and Zero Online and sends this stolen data to the following locations:
    • ganjue520888.www127.cnidc.cn
    • www dot 5151l[removed]dot com
    • www dot 61[removed]1dot cn
    • www dot 61[removed]dot cn
    • www dot 6[removed]q1 dot cn
    • www dot 6[removed]2 dot cn
    • www dot 8[removed]a dot com
    • www dot m[removed]8 dot cn
    • www dot r[removed]wd dot com
    • www dot [removed]wd dot com
    • www dot zi[removed]qq dot cn
    • www dot zit[removed]qq dot cn
    • www dot z[removed]20 dot cn

  • Some variants attempt to download and execute arbitrary files from the following servers:
    • 61. [removed].38.232
    • 61. [removed].38.166
    • 222. [removed.224.183

  • Some variants attempts to hide its activities on a system by injecting dropped files into the System and Explorer processes and processes relating to the targeted games.

  • Some variants search for and terminate processes relate to online games.
    • my.exe
    • Client.exe
    • woool.dat
    • woool88.dat
    • xy2.exe
    • game.exe

creates one of the following mutexes so that only one copy of the trojan executes:

    • MHLY_Mutex
    • HBInjectMutex

In view of rapid propagation of the Lolyda Trojan variants, users are advised to implement the following countermeasures :

  • Delete executables with the abovementioned names
  • Delete the registry entries made by the Trojan a mentioned above
  • Install and maintain updated anti-virus software at gateway and desktop level
  • Keep up-to-date on patches and fixes on the operating system
  • Install and maintain Desktop Firewall and block the ports which are not required
  • Exercise caution while visiting trusted/untrusted sites.

References

http://www.microsoft.com/security/portal/SearchResults.aspx?
query=Lolyda
http://www.microsoft.com/security/portal/Entry.aspx?Name=
PWS%3aWin32%2fLolyda.B
http://www.microsoft.com/security/portal/Entry.aspx?Name=
PWS%3aWin32%2fLolyda.I

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003