Win32/Weelsof is part of a large malware family called ransomware, which is different from your traditional trojans and worms. Ransomware’s main goal is to financially benefit from every infected user and force them to pay.

We included Win32/Weelsof in our November release of the Malicious Software Removal Tool.

Malware entry point

The user can be infected by this malware by visiting a compromised or malicious website. The website may have been compromised by exploits or injected iframes.

Malware binary

Once the malware binary is download and executed, it will connect to a server where it will download the “scare page” setup and configuration that will be used for ransom purposes. It is composed of the following three stages:

  1. Download of the scare page – this is an encrypted data file that uses RC4 encryption, retrieved with https://<malicious domain>/<random number>/get_dsn.php
  2. Confirmation of location – The ransomware retrieves the geo-location of the machine, with https://<malicious domain>/<random number>/get_coce.php
  3. Confirmation of IP address – The ransomware gets the IP address of the infected machine, with https://<malicious domain>/<random number>/get.php

Once the malware decrypts the file, it will become a ZIP file that contains the ransomware’s scare page setup.

Once decrypted, the malware will extract the archive and get the scare page’s contents:

Win32/Weelsof
Figure 1: Extracted contents from ZIP file

 

Scare page display

The malware will lock the screen, rendering it unusable for users. A reboot wouldn’t be helpful since the malware binary is registered as an Autorun executable in normal and in safe boot. The tactics of the malware is to scare the user into thinking they have illegally downloaded material such as MP3s, movies or software. The page will act as a governing body such as the FBI, Cuerpo Nacional de Policia (Spanish National Police) and police forces for many other countries.

Win32/Weelsof
Figure 2: Example scare page

 

These scare pages are detected as Trojan:HTML/Weelsof.A. These pages also change in structure to avoid detection.

This malware has been popular in Europe since its early stages. Now, North America - USA specifically - has become its main target.

MMPC's infection figures for Win32/Weelsof place US and Germany at the top spot with a total number of 19% followed by multiple European countries such as France (15%), the United Kingdom (12%) and the Netherlands (8%). Figure 3 presents a graphical display of the distribution of infections across regions.

Win32/Weelsof
Figure 3: Infection distribution

 

Figure 4 demonstrates our monthly hits for Win32/Weelsof since April of this year up to the end of November. The sharp decline in November is most likely evidence of our inclusion in MSRT for that month, as we aggressively began cleaning machines.

Win32/Weelsof

Figure 4: Monthly detection counts for Win32/Weelsof

 

 

-Patrick Estavillo
MMPC