Follow:

 

Win32/Weelsof


Microsoft security software detects and removes this threat.

This family of ransomware threats displays a localized webpage that covers your desktop and demands the payment of a fine for the supposed possession of illicit material.

Some variants of Win32/Weelsof can make lasting changes to your PC that make it difficult for you to download, install, run, or update your antivirus software.

Find out ways that malware can get on your PC.  



What to do now

Microsoft doesn’t recommend you pay the fine. There is no guarantee that paying the ransom will give you access to your files.

If you've already paid, see our ransomware page for help on what to do now.

Run antivirus or antimalware software

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

You can also ask for help from other PC users at the Microsoft virus and malware community.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

When run, variants of Win32/Weelsof copy themselves to the %APPDATA% or %windir% folder with a random file name, for example vtamqgcq.exe or hqbltqpc.exe.

They change the following registry entries to ensure that their copy runs each time you start your PC:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random string>", for example "aefgvpwpvqxksk"
With data: "%windir%\<random filename>.exe", for example "dtikagusucrjujsfkutt.exe"

In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
Sets value: "Shell"
With data: "%APPDATA%\<random filename>.exe, for example "dtikagusucrjujsfkutt.exe"

Payload

Prevents you from accessing your desktop

Variants of the Win32/Weelsof family display a full-screen webpage that they download from a remote host. The page covers all other windows, rendering your PC unusable. It is a fake warning pretending to be from a legitimate institution, which demands the payment of a fine.

Paying the "fine" will not necessarily return your PC to a usable state, so this is not advisable.

These displayed webpages might be detected as a variant of the HTML/Genasom family, like Ransom:HTML/Genasom.A.

Some examples of localized webpages that variants of Win32/Weelsof might display are reproduced here.

An image pretending to be from the Policja; the Polish police force:

An image pretending to be from the Politie; the Dutch police:

An image pretending to be from the Elliniki Astynomia; the Greek police:

Images pretending to be from the Federal Bureau of Investigation; the FBI:

An image pretending to be from the Cuerpro Nacional De Policia; the National Police Corps of Spain:

An image pretending to be from the Policia de Seguranca Publica; the Public Security Police of Portugal:

An image pretending to be from the Polizia di Stato; the State Police of Italy:

An image pretending to be from Polisen; the Swedish Police Service:

An image pretending to be from the Gendermarie Nationale; the National Gendarmarie of France:

An image pretending to be from An Garda Siochana; the Irish National Police Service:

An image pretending to be from the Bundespolizei; the German Federal Police:

Connects to remote servers

In the wild, we have observed Win32/Weelsof downloading the webpages from the following remote hosts via HTTP port 80:

  • dolores.cursopersona.com
  • fridayaddon.info
  • frivnrifr771kfii3834.info
  • ginnsuilspe94mdjjs.info
  • pictureicon.org.uk
  • pictureinteractive.org.uk
  • pictureinternet.org.uk
  • picturekeyboard.org.uk
  • police-center.in
  • police-central.in
  • policebrave.info
  • policebreakable.info
  • policebreezy.info
  • re4rwe3sg4744pps5e.info
  • serveranxious.in
  • sogood.vitaminavip.com
  • solovely.kugufejupaqajax.info
  • sosexy.baby300.info
  • stiloveu.obavestime.com
  • trybesmart.in
  • ultimategood.info
  • uniquegood.info
  • urbangood.info
  • verywell.xan7rafx.biz
  • vjnfnjfmio3rejioref.ru
  • weelsoffortune.info
Additional information

We have observed Win32/Weelsof using a variety of legitimate payment and financial transfer services, including the following:

Note: These providers are not affiliated with Win32/Weelsof.

If you believe you are a victim of fraud involving one of these services, you should contact them along with your local authorities.

Please also see the following Microsoft advisory for additional advice:

Win32/Weelsof also drops a file with a randomly generated name of 15 characters into the %APPDATA% folder, for example:

The threat uses this file to store additional configuration information.

Analysis by Patrick Estavillo


Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:
    %APPDATA%\pjqjsyrlgbgksrv
    %APPDATA%\tulpmjllloozzic
  • You see these entries or keys in your registry:
    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "<random string>", for example "aefgvpwpvqxksk
    With data: "%windir%\<random filename>.exe", for example "dtikagusucrjujsfkutt.exe"

    In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
    Sets value: "Shell"
    With data: "%APPDATA%\<random filename>.exe, for example "dtikagusucrjujsfkutt.exe"
  • You see these, or similar, images:




Prevention


Alert level: Severe
This entry was first published on: Sep 27, 2012
This entry was updated on: Jun 18, 2014

This threat is also detected as:
No known aliases