Installation
When run, variants of Win32/Weelsof copy themselves to the %APPDATA% or %windir% folder with a random file name, for example vtamqgcq.exe or hqbltqpc.exe.
They change the following registry entries to ensure that their copy runs each time you start your PC:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random string>", for example "aefgvpwpvqxksk"
With data: "%windir%\<random filename>.exe", for example "dtikagusucrjujsfkutt.exe"
In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
Sets value: "Shell"
With data: "%APPDATA%\<random filename>.exe, for example "dtikagusucrjujsfkutt.exe"
Payload
Prevents you from accessing your desktop
Variants of the Win32/Weelsof family display a full-screen webpage that they download from a remote host. The page covers all other windows, rendering your PC unusable. It is a fake warning pretending to be from a legitimate institution, which demands the payment of a fine.
Paying the "fine" will not necessarily return your PC to a usable state, so this is not advisable.
These displayed webpages might be detected as a variant of the HTML/Genasom family, like Ransom:HTML/Genasom.A.
Some examples of localized webpages that variants of Win32/Weelsof might display are reproduced here.
An image pretending to be from the Policja; the Polish police force:
An image pretending to be from the Politie; the Dutch police:
An image pretending to be from the Elliniki Astynomia; the Greek police:
Images pretending to be from the Federal Bureau of Investigation; the FBI:
An image pretending to be from the Cuerpro Nacional De Policia; the National Police Corps of Spain:
An image pretending to be from the Policia de Seguranca Publica; the Public Security Police of Portugal:
An image pretending to be from the Polizia di Stato; the State Police of Italy:
An image pretending to be from Polisen; the Swedish Police Service:
An image pretending to be from the Gendermarie Nationale; the National Gendarmarie of France:
An image pretending to be from An Garda Siochana; the Irish National Police Service:
An image pretending to be from the Bundespolizei; the German Federal Police:
Connects to remote servers
In the wild, we have observed Win32/Weelsof downloading the webpages from the following remote hosts via HTTP port 80:
- dolores.cursopersona.com
- fridayaddon.info
- frivnrifr771kfii3834.info
- ginnsuilspe94mdjjs.info
- pictureicon.org.uk
- pictureinteractive.org.uk
- pictureinternet.org.uk
- picturekeyboard.org.uk
- police-center.in
- police-central.in
- policebrave.info
- policebreakable.info
- policebreezy.info
- re4rwe3sg4744pps5e.info
- serveranxious.in
- sogood.vitaminavip.com
- solovely.kugufejupaqajax.info
- sosexy.baby300.info
- stiloveu.obavestime.com
- trybesmart.in
- ultimategood.info
- uniquegood.info
- urbangood.info
- verywell.xan7rafx.biz
- vjnfnjfmio3rejioref.ru
- weelsoffortune.info
Additional information
We have observed Win32/Weelsof using a variety of legitimate payment and financial transfer services, including the following:
Note: These providers are not affiliated with Win32/Weelsof.
If you believe you are a victim of fraud involving one of these services, you should contact them along with your local authorities.
Please also see the following Microsoft advisory for additional advice:
Win32/Weelsof also drops a file with a randomly generated name of 15 characters into the %APPDATA% folder, for example:
The threat uses this file to store additional configuration information.
Analysis by Patrick Estavillo