Win32/Weelsof [Threat Name] go to Threat

Win32/Weelsof.B [Threat Variant Name]

Category trojan
Size 107008 B
Detection created May 16, 2012
Detection database version 7143
Aliases Trojan.Win32.Weelsof.aan (Kaspersky)
  Trojan:Win32/Weelsof.C (Microsoft)
  TR/Weelsof.C.68 (Avira)
Short description

Win32/Weelsof.B is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is requested to comply with given conditions in exchange for a password/instructions. When the correct password is entered the trojan removes itself from the computer. The file is run-time compressed using UPX .

Installation

When executed, the trojan copies itself into the following location:

  • %commonappdata%\­%variable1%.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable1%" = "%commonappdata%\­%variable1%.exe"

The trojan creates the following file:

  • %commonappdata%\­%variable2%

A string with variable content is used instead of %variable1-2% .


The trojan runs the following process:

  • runas.exe

The trojan creates and runs a new thread with its own program code within the following processes:

  • runas.exe

The trojan quits immediately if the Windows user name is one of the following:

  • SANDBOX

The trojan quits immediately if any of the following applications is detected:

  • QEMU

The following programs are terminated:

  • explorer.exe
Other information

Win32/Weelsof.B is a trojan that blocks access to the Windows operating system.


The trojan receives data and instructions for further action from the Internet or another remote computer within its own network (botnet).


The trojan contains a list of (2) URLs. The HTTPS protocol is used.


To regain access to the operating system the user is requested to comply with given conditions in exchange for a password/instructions.


When the correct password is entered the trojan removes itself from the computer.


The trojan hides the windows of certain running applications.


The trojan may create the following files:

  • %commonappdata%\­%variable3%\­main.html

A string with variable content is used instead of %variable3% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.