Follow:

You have been re-routed to the Ransom:Win32/Weelsof.C write up because Trojan%253aWin32%252fWeelsof.C has been renamed to Ransom:Win32/Weelsof.C
 

Ransom:Win32/Weelsof.C


Trojan:Win32/Weelsof.C is a trojan that connects to certain servers to download arbitrary files.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Threat behavior

Trojan:Win32/Weelsof.C is a trojan that connects to certain servers to download arbitrary files.

Installation

Trojan:Win32/Weelsof.C drops a randomly-named 8-character copy of itself in the %AppData% folder, for example, "cuuqqmoo.exe" or "wlriqzhp.exe".

It also drops a randomly-named 15-character file, for example, "tulpmjllloozzic", "pjqjsyrlgbgksrv". This file is not malicious.

It creates a 24-25 character random mutex, for example, "Global\wjdsnjfqdordprmhwlhmsnckl" or "Global\gmokpkjeobbwaolgbbjzszli", to ensure that only one instance of itself is running at any particular time.

Trojan:Win32/Weelsof.C creates the following registry keys so its copy automatically runs every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Sets value: <random string>
With data: "%AppData%\<malware file name>.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Sets value: "Shell"
With data: "%AppData%\<malware file name>.exe"

Payload

Downloads arbitrary files

Trojan:Win32/Weelsof.C connects to the following websites to download other files:

  • dolores.cursopersona.com
  • fridayaddon.info
  • frivnrifr771kfii3834.info
  • ginnsuilspe94mdjjs.info
  • re4rwe3sg4744pps5e.info
  • sogood.vitaminavip.com
  • solovely.kugufejupaqajax.info
  • verywell.xan7rafx.biz

Analysis by Jeong Mun


Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.


Prevention


Alert level: Severe
First detected by definition: 1.129.991.0
Latest detected by definition: 1.185.3495.0 and higher
First detected on: Jul 04, 2012
This entry was first published on: Jul 04, 2012
This entry was updated on: Sep 27, 2012

This threat is also detected as:
  • Trojan.Win32.Weelsof.lj (Kaspersky)
  • Trojan.Weelsof!t1O6U6b1N2Y (VirusBuster)
  • TR/Weelsof.lj (Avira)
  • Win32/Weelsof.B trojan (ESET)
  • Trojan.Win32.Weelsof (Ikarus)