Win32/Weelsof [Threat Name] go to Threat

Win32/Weelsof.C [Threat Variant Name]

Category trojan
Size 105984 B
Detection created Jan 24, 2013
Detection database version 7927
Aliases Trojan.Win32.Weelsof.aec (Kaspersky)
  Trojan:Win32/Weelsof.C (Microsoft)
  Trojan.Ransomlock.X (Symantec)
Short description

Win32/Weelsof.C is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is requested to comply with given conditions in exchange for a password/instructions. When the correct password is entered the trojan removes itself from the computer. The file is run-time compressed using UPX .

Installation

When executed, the trojan copies itself into the following location:

  • %commonappdata%\­%variable1%.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%" = "%commonappdata%\­%variable1%.exe"

A string with variable content is used instead of %variable1-2% .


The trojan runs the following process:

  • runas.exe

The trojan creates and runs a new thread with its own code within these running processes.


The trojan contains both 32-bit and 64-bit program components.


The trojan quits immediately if the user name is one of the following:

  • Sandbox

The trojan quits immediately if any of the following applications is detected:

  • QEMU

The following programs are terminated:

  • explorer.exe
Other information

Win32/Weelsof.C is a trojan that blocks access to the Windows operating system.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of URLs. The HTTPS protocol is used.


To regain access to the operating system the user is requested to comply with given conditions in exchange for a password/instructions.


When the correct password is entered the trojan removes itself from the computer.


The trojan hides the windows of certain running applications.


The trojan may create the following files:

  • %commonappdata%\­%varaiable3%
  • %commonappdata%\­%varaiable4%\­main.html

A string with variable content is used instead of %variable3-4% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.