Installation
When run, Ransom:Win32/Weelsof.A copies itself into the %APPDATA% and %windir% folders using a random file name, for example:
It changes the following registry entries to ensure that its copy runs every time Windows starts:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random string>"
With data: "%APPDATA%\<random file name>.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Sets value: "Shell"
With data: "%APPDATA%\<random file name>.exe"
Payload
Connects to certain websites
Ransom:Win32/Weelsof.A connects to the following websites:
-
abfff11obasnoman.info
-
astalavista.aprilbydesign.com
-
blogaboutyou.ru
-
dd.zeroxcode.net
-
dd.zeroxcode.netdll
-
dolores.cursopersona.com
-
euro-police.in
-
fridayaddon.info
-
ilovewholeworld.288536.com
-
kissthesunthereone.ru
-
kissthesuntheretwo.ru
-
loveus.sixclover.com
-
lovinmelovinu.sosyalkamuoyu.com
-
picturehelp.org.uk
-
pictureicon.org.uk
-
pictureinput.org.uk
-
pictureinteractive.org.uk
-
pictureinternet.org.uk
-
picturekeyboard.org.uk
-
police-center.in
-
police-central.in
-
policebrave.info
-
policebreakable.info
-
policebreezy.info
-
serveranxious.in
-
sosexy.baby300.info
-
stiloveu.obavestime.com
-
trybesmart.in
-
ultimategood.info
-
ultimategood.info00
-
uniquegood.info
-
urbangood.info
-
vjnfnjfmio3rejioref.ru
-
weelsoffortune.info
-
weelsoffortune.info
Locks the PC screen
Ransom:Win32/Weelsof.A locks the screen, preventing you from using your PC. It might display a webpage from the sites previously mentioned. The webpage contains a message indicating that your PC is locked and that you have to enter sensitive information or payment to regain access to your PC.
Some images of what this webpage looks like are available in the Win32/Weelsof description.
Analysis by Edgardo Diaz
