Threat Research & Response Blog
Win32/Weelsof is part of a large malware family called ransomware, which is different from your traditional trojans and worms. Ransomware’s main goal is to financially benefit from every infected user and force them to pay.
We included Win32/Weelsof in our November release of the Malicious Software Removal Tool.
Malware entry point
The user can be infected by this malware by visiting a compromised or malicious website. The website may have been compromised by exploits or injected iframes.
Once the malware binary is download and executed, it will connect to a server where it will download the “scare page” setup and configuration that will be used for ransom purposes. It is composed of the following three stages:
Once the malware decrypts the file, it will become a ZIP file that contains the ransomware’s scare page setup.
Once decrypted, the malware will extract the archive and get the scare page’s contents:
Figure 1: Extracted contents from ZIP file
Scare page display
The malware will lock the screen, rendering it unusable for users. A reboot wouldn’t be helpful since the malware binary is registered as an Autorun executable in normal and in safe boot. The tactics of the malware is to scare the user into thinking they have illegally downloaded material such as MP3s, movies or software. The page will act as a governing body such as the FBI, Cuerpo Nacional de Policia (Spanish National Police) and police forces for many other countries.
Figure 2: Example scare page
These scare pages are detected as Trojan:HTML/Weelsof.A. These pages also change in structure to avoid detection.
This malware has been popular in Europe since its early stages. Now, North America - USA specifically - has become its main target.
MMPC's infection figures for Win32/Weelsof place US and Germany at the top spot with a total number of 19% followed by multiple European countries such as France (15%), the United Kingdom (12%) and the Netherlands (8%). Figure 3 presents a graphical display of the distribution of infections across regions.
Figure 3: Infection distribution
Figure 4 demonstrates our monthly hits for Win32/Weelsof since April of this year up to the end of November. The sharp decline in November is most likely evidence of our inclusion in MSRT for that month, as we aggressively began cleaning machines.
Figure 4: Monthly detection counts for Win32/Weelsof