Win32/Weelsof

Win32_Weelsof is a malicious computer program and polymorphic Trojan tied to ransomware geo-targeting poorly protected Windows-based systems. Polymorphic coding helps customize or switch out the interface and display the correct language of the visual presentation based on OS it evades or other geo identifiers.

Ransomware is known to lock up data or the normal use of a system while it displays a threatening note and demand for ransom. Usually the victim is accused of criminal behaviors, whether it is child pornography or some other criminal act using the Internet. Ransomware plays on human fears and to legitimize its accusation will often masquerade as the criminal authority of the country it is targeting.

Ransomware is engineered by Trojans like Win32_Weelsof that use common distribution vectors. Trojans may be bundled with other malware and hidden inside the download of freeware or shareware. A Trojan may also be hidden behind a link or attachment in a cleverly written email spam communication or planted on the grounds of social networks. Trojans mimic their mythical namesake and use masks to trick PC users into believing them innocent so they click and download without caution. If a computer system is absent a stealth anti-malware program that uses a mix of scanning techniques, malware can seep inside without proper warning.

After gaining deceptive entry, Win32_Weelsof unpacks and decrypts files and components Win32_Weelsof smuggled inside. A port will be opened and connections made to a remote server to report successful infiltration and implantation of infectious files. The malware maker may revise the infection or download other malicious programs. Win32_Weelsof will add its malicious executable into memory, so that it runs each time Windows is started. Script will be run to seek and destroy any files running or updating security programs. The malicious executable will be added to the approved programs listing to bypass the firewall. Win32_Weelsof will block access to all application and basically hijacks the entire screen to present its claim and demands. The demand will include instructions to make an online payment, for example using Ukash, or a telephone number to pay it online or perform a SMS high premium text. The ransom will state that the system will be unlocked when payment is made, but this is a lie. Most ransomware is setup to cheat or scare the victim out of money but not to make good on any promises.

DO NOT GIVE IN TO THE RANSOM or pay some hacker your hard earn money! Your system is infected and paying ransom will not wipe it clean or restore it to its normal operation. Many Trojans are built with rootkit technology that helps hide and bury malicious files and components in the root of the system where operating system files and components reside. Trojans may name their malicious files and components the same as legitimate operating system files and components to confuse those wanting to remove the infection. Trojans also have the ability to hook legitimate running processes to further circumvent malicious activity. So while manual removal is not impossible, complete removal will be hampered by obfuscation tricks used by the malicious programs. Deleting the wrong files could corrupt the hard drive and erroneously erase valuable data or overlooking one infectious element could allow the attack to rejuvenate at next boot. Therefore, it is highly recommended you seek a professional and trusted anti-malware solution already proven to remove all hidden malware and safely remove without causing further harm to the hard drive.

A professional anti-malware solution will not only be able to stop the surface attack and unlock the screen, but also end the underlying attack the Trojan is waging by doing the following: stealing vital data out of the browser cache, harvesting email addresses, gathering system data that identifies vulnerabilities and installing other malicious programs that were downloaded.