Home / malware Trojan:Win32/Weelsof.C
First posted on 27 September 2012.
Source: MicrosoftAliases :
Trojan:Win32/Weelsof.C is also known as Trojan.Win32.Weelsof.lj (Kaspersky), Trojan.Weelsof!t1O6U6b1N2Y (VirusBuster), TR/Weelsof.lj (Avira), Win32/Weelsof.B trojan (ESET), Trojan.Win32.Weelsof (Ikarus).
Explanation :
Trojan:Win32/Weelsof.C is a trojan that connects to certain servers to download arbitrary files.
Installation
Trojan:Win32/Weelsof.C drops a randomly-named 8-character copy of itself in the %AppData% folder, for example, "cuuqqmoo.exe" or "wlriqzhp.exe".
It also drops a randomly-named 15-character file, for example, "tulpmjllloozzic", "pjqjsyrlgbgksrv". This file is not malicious.
It creates a 24-25 character random mutex, for example, "Global\wjdsnjfqdordprmhwlhmsnckl" or "Global\gmokpkjeobbwaolgbbjzszli", to ensure that only one instance of itself is running at any particular time.
Trojan:Win32/Weelsof.C creates the following registry keys so its copy automatically runs every time Windows starts:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Sets value: <random string>
With data: "%AppData%\<malware file name>.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Sets value: "Shell"
With data: "%AppData%\<malware file name>.exe"
Payload
Downloads arbitrary files
Trojan:Win32/Weelsof.C connects to the following websites to download other files:
- dolores.cursopersona.com
- fridayaddon.info
- frivnrifr771kfii3834.info
- ginnsuilspe94mdjjs.info
- re4rwe3sg4744pps5e.info
- sogood.vitaminavip.com
- solovely.kugufejupaqajax.info
- verywell.xan7rafx.biz
Analysis by Jeong Mun
Last update 27 September 2012
