Follow:

You have been re-routed to the Ransom:Win32/Weelsof.A write up because Trojan%3aWin32%2fWeelsof.A has been renamed to Ransom:Win32/Weelsof.A
 

Ransom:Win32/Weelsof.A


Microsoft security software detects and removes this threat.

Ransom:Win32/Weelsof.A is a ransomware threat that locks your screen and asks you to pay a "fine" to regain access.

Some images of what this webpage looks like are available in the Win32/Weelsof description.

More information about ransomware is available in our ransomware page.

Find out ways that malware can get on your PC.



What to do now

Microsoft doesn’t recommend you pay the fine. There is no guarantee that paying the ransom will give you access to your files.

If you've already paid, see our ransomware page for help on what to do now.

Run antivirus or antimalware software

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

You can also ask for help from other PC users at the Microsoft virus and malware community.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

When run, Ransom:Win32/Weelsof.A copies itself into the %APPDATA% and %windir% folders using a random file name, for example:

It changes the following registry entries to ensure that its copy runs every time Windows starts:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random string>"
With data: "%APPDATA%\<random file name>.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Sets value: "Shell"
With data: "%APPDATA%\<random file name>.exe"

Payload

Connects to certain websites

Ransom:Win32/Weelsof.A connects to the following websites:

  • abfff11obasnoman.info
  • astalavista.aprilbydesign.com
  • blogaboutyou.ru
  • dd.zeroxcode.net
  • dd.zeroxcode.netdll
  • dolores.cursopersona.com
  • euro-police.in
  • fridayaddon.info
  • ilovewholeworld.288536.com
  • kissthesunthereone.ru
  • kissthesuntheretwo.ru
  • loveus.sixclover.com
  • lovinmelovinu.sosyalkamuoyu.com
  • picturehelp.org.uk
  • pictureicon.org.uk
  • pictureinput.org.uk
  • pictureinteractive.org.uk
  • pictureinternet.org.uk
  • picturekeyboard.org.uk
  • police-center.in
  • police-central.in
  • policebrave.info
  • policebreakable.info
  • policebreezy.info
  • serveranxious.in
  • sosexy.baby300.info
  • stiloveu.obavestime.com
  • trybesmart.in
  • ultimategood.info
  • ultimategood.info00
  • uniquegood.info
  • urbangood.info
  • vjnfnjfmio3rejioref.ru
  • weelsoffortune.info
  • weelsoffortune.info

Locks the PC screen

Ransom:Win32/Weelsof.A locks the screen, preventing you from using your PC. It might display a webpage from the sites previously mentioned. The webpage contains a message indicating that your PC is locked and that you have to enter sensitive information or payment to regain access to your PC.

Some images of what this webpage looks like are available in the Win32/Weelsof description.

Analysis by Edgardo Diaz


Symptoms

Your PC is locked and you cannot use it. A message might display demanding payment for you to regain access to your PC.

Some images of what this webpage looks like are available in the Win32/Weelsof description.


Prevention


Alert level: Severe
First detected by definition: 1.123.1683.0
Latest detected by definition: 1.175.549.0 and higher
First detected on: Apr 13, 2012
This entry was first published on: Apr 13, 2012
This entry was updated on: Jun 18, 2014

This threat is also detected as:
  • Trojan.Weelsof!sg/y+Ttb+Ps (VirusBuster)
  • Win32/DH{ICJbA2cP} (AVG)
  • TR/Winlock.FR (Avira)
  • Trojan.Winlock.6178 (Dr.Web)
  • Win32/Weelsof.A trojan (ESET)
  • Trojan.Win32.Weelsof (Ikarus)
  • FakeAlert-FDH!3444E41067C5 (McAfee)
  • Troj/Weelsof-E (Sophos)