Home / malwarePDF  

Trojan:Win64/Weelsof.A


First posted on 18 December 2012.
Source: Microsoft

Aliases :

Trojan:Win64/Weelsof.A is also known as Win64/Weelsof.A trojan (ESET), Ransom-AAV (McAfee).

Explanation :



Trojan:Win64/Weelsof.A is a ransomware that may lock your screen and ask you for sensitive and/or financial information so that your computer can be restored to normal.



Installation

Trojan:Win64/Weelsof.A is a version of Trojan:Win32/Weelsof that runs on 64-bit computers.

If Trojan:Win32/Weelsof finds that it is running on a 64-bit operating system, it injects Trojan:Win64/Weelsof.A into <system folder>\runas.exe.

When run, Trojan:Win64/Weelsof.A copies itself into the %AppData% and %windir% folders using a random file name.

It modifies the following registry entries to ensure that its copy runs every time Windows starts:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random 15 character string>"
With data: "%AppData%\<random 8 character file name>.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random 15 character string>"
With data: "%windir%\<random 8 character file name>.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Sets value: "Shell"
With data: "%AppData%\<random 8 character file name>.exe"



Payload

Prevents access to your desktop

Trojan:Win64/Weelsof.A displays a full screen image from a certain website. The image covers your entire screen and prevents you from accessing your desktop. The image contains a message, falsely claiming to be from the authorities, saying, that you have to enter sensitive information or make a payment to regain access to your computer.

The image may look similar to any of these.

Trojan:Win64/Weelsof.A may connect to any of the following websites for the image:

  • aogopden141baseandlive.info
  • domain-server-name.co.uk
  • fgn2624jgijh8234g5.info
  • ifuwanna36youmustteachu3for8.info
  • perfecto.windows8computers.com
  • serverprinter.co.uk
Additional information

More information about ransomware is available here.



Analysis by Stefan Sellmer

Last update 18 December 2012

 

TOP

Malware :

Family: