PWS:Win32/Lolyda.O is a trojan password stealer. Aside from sending user information from popular online games to a remote site, it also terminates certain processes and drops other malware.
Installation
Upon execution, PWS:Win32/Lolyda.O drops the following files:
<system folder>\hbwd.dll - detected as PWS:Win32/Lolyda.O
<system folder>\drivers\hbkernel32.sys - detected as PWS:Win32/Lolyda.K
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
Lolyda.O checks every 100 milliseconds if the following registry entries exist, and creates them if they do not. These registry entries are designed to ensure that all its dropped copy and the file detected as
PWS:Win32/Lolyda.M are run every time Windows starts.
Adds value: "HBService32"
With data: "system.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Modifies value: "AppInit_DLLs"
With data: "hbmhly.dll,hb1000y.dll,hbwoool.dll,hbxy2.dll,hbjxsj.dll,hbso2.dll,hbfs2.dll,hbxy3.dll,
hbshq.dll,hbfy.dll,hbwulin2.dll,hbw2i.dll,hbkdxy.dll,hbworld2.dll,hbasktao.dll,hbzhuxian.dll,
hbwow.dll,hbzero.dll,hbbo.dll,hbconquer.dll,hbsoul.dll,hbchibi.dll,hbdnf.dll,hbwarlords.dll,
hbtl.dll,hbpickchina.dll,hbct.dll,hbgc.dll,hbhm.dll,hbhx2.dll,hbqqhx.dll,hbtw2.dll,hbqqsg.dll,
hbqqffo.dll,hbzt.dll,hbmir2.dll,hbrxjh.dll,hbyy.dll,hbmxd.dll,hbsq.dll,hbtj.dll,hbfhzl.dll,hbwlqx.dll,
hblyfx.dll,hbr2.dll,hbchd.dll,hbtz.dll,hbqqxx.dll,hbwd.dll,hbzg.dll,hbppbl.dll,hbxmj.dll,hbjtlq.dll,hbqjsj.dll"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
It also loads the file '<system folder>\drivers\hbkernel32.sys' as a system driver with the following specifications:
Display name: "HBKernel32 Driver"
Service name: "HBKernel32"
Payload
Terminates Processes
PWS:Win32/Lolyda.O terminates the following processes, most of which are connected to various online games:
my.exe
Client.exe
woool.dat
woool88.dat
xy2.exe
game.exe
SO2Game.exe
SO2GameFree.exe
FSOnline2.exe
gameclient.exe
elementclient.exe
asktao.mod
Wow.exe
ZeroOnline.exe
Bo.exe
Conquer.exe
soul.exe
TheWarlords.exe
china_login.mpr
blueskyclient_r.exe
xy3.exe
QQLogin.exe
DNF.exe
gc12.exe
hugemanclient.exe
HX2Game.exe
QQhxgame.exe
tw2.exe
QQSG.exe
QQFFO.exe
zhengtu.dat
mir1.dat
mir2.dat
Drops Other Malware
As mentioned in the Installation section above, this trojan also drops the following files in the system, which may be detected as other members of the
PWS:Win32/Lolyda.M family:
<
system folder>\drivers\hbkernel32.sys - detected as
Lolyda
Steals Sensitive Information
PWS:Win32/Lolyda.O monitors and records all user account activity, including passwords, game statistics, and screenshots, for various online games. It then sends the stolen data to the following website:
chz.feitianxiaozhu.com
Analysis by Cristian Craioveanu
