Home / malwarePDF  

Trojan:Win32/Weelsof


First posted on 24 October 2012.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Weelsof.

Explanation :



Trojan:Win32/Weelsof is a family of ransomware trojans that targets users from certain countries. It locks your computer and displays a localized webpage that covers your desktop and demands the payment of a fine for the supposed possession of illicit material.



Installation

When run, variants of Trojan:Win32/Weelsof copy themselves to the %APPDATA% or %windir% folder with a random filename, for example "vtamqgcq.exe" or "hqbltqpc.exe".

Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista and 7, the default location is "C:\Users\<user>\AppData\Roaming".

Note: %windir% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Windows folder for Windows 2000 and NT is "C:\WinNT"; and for XP, Vista, and 7 it is "C:\Windows".

Variants of Trojan:Win32/Weelsof modify the following registry entries to ensure that their copy runs at each Windows start:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random string>", for example "aefgvpwpvqxksk"
With data: "%windir%\<random filename>.exe", for example "dtikagusucrjujsfkutt.exe"

In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
Sets value: "Shell"
With data: "%APPDATA%\<random filename>.exe, for example "dtikagusucrjujsfkutt.exe"



Payload

Prevents you from accessing your desktop

Variants of the Trojan:Win32/Weelsof family display a full-screen webpage that they download from a remote host. The page covers all other windows, rendering the computer unusable. It is a fake warning pretending to be from a legitimate institution which demands the payment of a fine.

Paying the "fine" will not necessarily return your computer to a usable state, so this is not advisable.

These displayed webpages may be detected as a variant of the Trojan:HTML/Ransom family, such as Trojan:HTML/Ransom.A.

Some examples of localized webpages that variants of Trojan:Win32/Weelsof may display are reproduced here.

An image pretending to be from the Policja; the Polish police force:



An image pretending to be from the Politie; the Dutch police:



An image pretending to be from the Elliniki Astynomia; the Greek police:



Images pretending to be from the Federal Bureau of Investigation; the FBI:





An image pretending to be from the Cuerpro Nacional De Policia; the National Police Corps of Spain:



An image pretending to be from the Policia de Seguranca Publica; the Public Security Police of Portugal:



An image pretending to be from the Polizia di Stato; the State Police of Italy:



An image pretending to be from Polisen; the Swedish Police Service:



An image pretending to be from the Gendermarie Nationale; the National Gendarmarie of France:



An image pretending to be from An Garda Siochana; the Irish National Police Service:



An image pretending to be from the Bundespolizei; the German Federal Police:



Connects to remote servers

In the wild, we have observed Trojan:Win32/Weelsof downloading the webpages from the following remote hosts via HTTP port 80:

  • dolores.cursopersona.com
  • fridayaddon.info
  • frivnrifr771kfii3834.info
  • ginnsuilspe94mdjjs.info
  • Locks the computer
  • pictureicon.org.uk/arch/design_F4000000
  • pictureicon.org.uk/topic.php
  • pictureinput.org.uk/bbac4/1/arch/design_F4000000
  • pictureinput.org.uk/bbac4/1/topic.php
  • pictureinteractive.org.uk/bbac4/2/arch/design_F4000000
  • pictureinteractive.org.uk/bbac4/2/topic.php
  • pictureinternet.org.uk/adv/topic.php
  • pictureinternet.org.uk/bbac4/1/topic.php
  • pictureinternet.org.uk/bbac4/2/topic.php
  • pictureinternet.org.uk/topic.php
  • picturekeyboard.org.uk/arch/design_F4000000
  • picturekeyboard.org.uk/topic.php
  • policebrave.info/get_dsn.php
  • policebrave.info/topic.php
  • policebreakable.info/get_dsn.php
  • policebreakable.info/topic.php
  • policebreezy.info/get_dsn.php
  • policebreezy.info/topic.php
  • police-center.in/bbac/arch/design_F4000000
  • police-center.in/bbac/topic.php
  • police-central.in/bbac3/1/arch/design_F4000000
  • police-central.in/bbac3/1/topic.php
  • police-central.in/bbac3/2/arch/design_F4000000
  • police-central.in/bbac3/2/topic.php
  • police-central.in/bbac3/3/arch/design_F4000000
  • police-central.in/bbac3/3/topic.php
  • police-central.in/bbac3/4/arch/design_F4000000
  • police-central.in/bbac3/4/topic.php
  • re4rwe3sg4744pps5e.info
  • serveranxious.in/arch/design_F4000000
  • serveranxious.in/topic.php
  • sogood.vitaminavip.com
  • solovely.kugufejupaqajax.info
  • sosexy.baby300.info/1/get_dsn.php
  • sosexy.baby300.info/1/topic.php
  • stiloveu.obavestime.com/adv/arch/design_F4000000
  • stiloveu.obavestime.com/adv/topic.php
  • stiloveu.obavestime.com/arch/design_F4000000
  • stiloveu.obavestime.com/topic.php
  • trybesmart.in/dilly/desi_F4000000
  • trybesmart.in/dilly/get_ip.php
  • trybesmart.in/dilly/index6.php
  • ultimategood.info/200/arch/design_F4000000
  • ultimategood.info/200/topic.php
  • ultimategood.info/adv/arch/design_F4000000
  • ultimategood.info/adv/topic.php
  • ultimategood.info/arch/design_F4000000
  • ultimategood.info/topic.php
  • uniquegood.info/adv/arch/design_F4000000
  • uniquegood.info/adv/topic.php
  • uniquegood.info/arch/design_F4000000
  • uniquegood.info/topic.php
  • urbangood.info/adv/arch/design_F4000000
  • urbangood.info/adv/topic.php
  • urbangood.info/arch/design_F4000000
  • urbangood.info/topic.php
  • verywell.xan7rafx.biz
  • vjnfnjfmio3rejioref.ru/adv/topic.php
  • vjnfnjfmio3rejioref.ru/topic.php
  • weelsoffortune.info/dilly/desi_F4000000
  • weelsoffortune.info/dilly/get_ip.php
  • weelsoffortune.info/dilly/index2.php
  • weelsoffortune.info/dilly/index4.php
  • weelsoffortune.info/dilly/index5.php
Additional information

We have observed Trojan:Win32/Weelsof using a variety of legitimate payment and financial transfer services, including the following:

  • Green Dot MoneyPak
  • Paysafecard
  • Ukash
  • Ultimate Game Card


Note: These providers are not affiliated with Trojan:Win32/Weelsof.

If you believe you are a victim of fraud involving one of these services, you should contact them along with your local authorities.

Please also see the following Microsoft advisory for additional advice:

  • What to do if you are a victim of fraud
Related encyclopedia entries

Trojan:HTML/Ransom.A



Analysis by Patrick Estavillo

Last update 24 October 2012

 

TOP

Malware :