Home / malwarePDF  

Trojan:Win32/Weelsof.A


First posted on 01 August 2012.
Source: Microsoft

Aliases :

Trojan:Win32/Weelsof.A is also known as Trojan.Weelsof!sg/y+Ttb+Ps (VirusBuster), Win32/DH{ICJbA2cP} (AVG), TR/Winlock.FR (Avira), Trojan.Winlock.6178 (Dr.Web), Win32/Weelsof.A trojan (ESET), Trojan.Win32.Weelsof (Ikarus), FakeAlert-FDH!3444E41067C5 (McAfee), Troj/Weelsof-E (Sophos).

Explanation :



Trojan:Win32/Weelsof.A is a trojan that may lock your screen and ask you for sensitive and/or financial information so that your computer can be restored to normal.



Installation

When run, Trojan:Win32/Weelsof.A copies itself into the %AppData% and %windir% folders using a random file name, for example:

  • %AppData%\lfjyyfrc.exe
  • %windir\lfjyyfrc.exe


It modifies the following registry entries to ensure that its copy runs every time Windows starts:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random string>"
With data: "%AppData%\<random file name>.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Sets value: "Shell"
With data: "%AppData%\<random file name>.exe"



Payload

Connects to certain websites

Trojan:Win32/Weelsof.A connects to the following websites:

  • abfff11obasnoman.info
  • astalavista.aprilbydesign.com
  • blogaboutyou.ru
  • dd.zeroxcode.net
  • dd.zeroxcode.netdll
  • dolores.cursopersona.com
  • euro-police.in
  • fridayaddon.info
  • ilovewholeworld.288536.com
  • kissthesunthereone.ru
  • kissthesuntheretwo.ru
  • loveus.sixclover.com
  • lovinmelovinu.sosyalkamuoyu.com
  • picturehelp.org.uk
  • pictureicon.org.uk
  • pictureinput.org.uk
  • pictureinteractive.org.uk
  • pictureinternet.org.uk
  • picturekeyboard.org.uk
  • police-center.in
  • police-central.in
  • policebrave.info
  • policebreakable.info
  • policebreezy.info
  • serveranxious.in
  • sosexy.baby300.info
  • stiloveu.obavestime.com
  • trybesmart.in
  • ultimategood.info
  • ultimategood.info00
  • uniquegood.info
  • urbangood.info
  • vjnfnjfmio3rejioref.ru
  • weelsoffortune.info
  • weelsoffortune.info


Locks the computer screen

Trojan:Win32/Weelsof.A locks the screen, preventing you from using your computer. It may display a webpage from the sites previously mentioned. The webpage contains a message indicating that your computer is locked and that you have to enter sensitive information or payment to regain access to your computer.



Analysis by Edgardo Diaz

Last update 01 August 2012

 

TOP

Malware :

Family: