When run, variants of Win32/Weelsof copy themselves to the %APPDATA% or %windir% folder with a random file name, for example vtamqgcq.exe or hqbltqpc.exe.
They change the following registry entries to ensure that their copy runs each time you start your PC:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random string>", for example "aefgvpwpvqxksk"
With data: "%windir%\<random filename>.exe", for example "dtikagusucrjujsfkutt.exe"
In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
Sets value: "Shell"
With data: "%APPDATA%\<random filename>.exe, for example "dtikagusucrjujsfkutt.exe"
Prevents you from accessing your desktop
Variants of the Win32/Weelsof family display a full-screen webpage that they download from a remote host. The page covers all other windows, rendering your PC unusable. It is a fake warning pretending to be from a legitimate institution, which demands the payment of a fine.
Paying the "fine" will not necessarily return your PC to a usable state, so this is not advisable.
These displayed webpages might be detected as a variant of the HTML/Genasom family, like Ransom:HTML/Genasom.A.
Some examples of localized webpages that variants of Win32/Weelsof might display are reproduced here.
An image pretending to be from the Policja; the Polish police force:
An image pretending to be from the Politie; the Dutch police:
An image pretending to be from the Elliniki Astynomia; the Greek police:
Images pretending to be from the Federal Bureau of Investigation; the FBI:
An image pretending to be from the Cuerpro Nacional De Policia; the National Police Corps of Spain:
An image pretending to be from the Policia de Seguranca Publica; the Public Security Police of Portugal:
An image pretending to be from the Polizia di Stato; the State Police of Italy:
An image pretending to be from Polisen; the Swedish Police Service:
An image pretending to be from the Gendermarie Nationale; the National Gendarmarie of France:
An image pretending to be from An Garda Siochana; the Irish National Police Service:
An image pretending to be from the Bundespolizei; the German Federal Police:
Connects to remote servers
In the wild, we have observed Win32/Weelsof downloading the webpages from the following remote hosts via HTTP port 80:
We have observed Win32/Weelsof using a variety of legitimate payment and financial transfer services, including the following:
Note: These providers are not affiliated with Win32/Weelsof.
If you believe you are a victim of fraud involving one of these services, you should contact them along with your local authorities.
Please also see the following Microsoft advisory for additional advice:
also drops a file with a randomly generated name of 15 characters into the %APPDATA% folder, for example:
The threat uses this file to store additional configuration information.
Analysis by Patrick Estavillo