Home / malwarePDF  

TrojanDropper:Win32/Lolyda.F


First posted on 03 February 2010.
Source: SecurityHome

Aliases :

There are no other names known for TrojanDropper:Win32/Lolyda.F.

Explanation :

TrojanDropper:Win32/Lolyda.F is a member of the Win32/Lolyda family of trojans. This family steals account information from popular online games and sends it to a remote server. TrojanDropper:Win32/Lolyda.F drops and installs a DLL file detected as PWS:Win32/Lolyda.AW. It terminates certain processes and deletes a system file.
Top

TrojanDropper:Win32/Lolyda.F is a member of the Win32/Lolyda family of trojans. This family steals account information from popular online games and sends it to a remote server. TrojanDropper:Win32/Lolyda.F drops and installs a DLL file detected as PWS:Win32/Lolyda.AW. It terminates certain processes and deletes a system file. InstallationWhen executed, TrojanDropper:Win32/Lolyda.F copies itself to the Windows system folder with a random file name. Payload Drops and installs other malwareTrojanDropper:Win32/Lolyda.F drops a hidden DLL with a randomly-generated file name into the Windows system folder; this DLL file may be detected as PWS:Win32/Lolyda.AW. It then modifies the registry to ensure that this DLL file is loaded by the "explorer.exe" process, for example: Add value: "(default)"
With data: "<system folder>\ar12a899dll.dll" (where "ar12a899dll.dll" is the randomly-generated name of the DLL file)
To subkey: HKLM\SOFTWARE\Classes\CLSID\{5A041F13-A111-12A8-B0CF-F99818AA68A5}\InProcServer32 Add value: "{5A041F13-A111-12A8-B0CF-F99818AA68A5}"
With data ""
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHook TrojanDropper:Win32/Lolyda.F also registers its dropped DLL file as a Browser Helper Object (BHO): Add value: "(default)"
With data: "<system folder>\ar12a899dll.dll"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5A041F13-A111-12A8-B0CF-F99818AA68A5} Terminates processesTrojanDropper:Win32/Lolyda.F attempts to terminate certain antivirus software as well as online game client processes. Some of the processes it is known to terminate are the following:

  • 360safe.exe
  • 360tray.exe
  • elementclient.exe
  • safeboxtray.exe
    • Deletes system fileTrojanDropper:Win32/Lolyda.F deletes the file "<system folder>\verclsid.exe", which is used to validate shell extensions before they are loaded by Windows Explorer.

    Analysis by Chun Feng

    Last update 03 February 2010

     

    TOP

    Malware :

    Family: