Trojan.Wdfload
Posted: January 17, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
Ranking: | 8,110 |
---|---|
Threat Level: | 8/10 |
Infected PCs: | 30,091 |
First Seen: | January 17, 2017 |
---|---|
Last Seen: | September 24, 2023 |
OS(es) Affected: | Windows |
Trojan.Wdfload (including aliases such as CertLock or Ceram) is a Trojan that blocks you from using specific brands of anti-virus scanners and related security software. Although this threat is specific to Windows, for affected users, it prevents them from analyzing the presence of other threatening software on their PCs or implementing a disinfection strategy. Use standard security protocols and specialized utilities, if necessary, to disable this Trojan before removing Trojan.Wdfload with the anti-malware program of your choosing.
The Anti-Anti-Virus Starts Making Waves
It's not new for threatening software to undertake various actions in 'self-defense' of their attacks. For one example, readers might recall the ability of some versions of Hidden Tear to disable the Task Manager and other tools that are useful for analyzing system problems. However, usually, these attacks are only one part of a Trojan's payload. With Trojan.Wdfload, the entire payload is customized to serve as an 'anti' to any onboard anti-virus.
Trojan.Wdfload also is commonly referred to by the name CertLock, which comes from one of its most essential features: disabling software-authenticating certificates. It revokes certifications for programs associated with significant AV and security brands and includes both installers and any already-installed products in the attack. Malware experts do note that such attacks are detectable to any users trying to open these blocked applications immediately, which will throw standardized Windows errors.
Interesting, while many threat actors would stop at the above feature, Trojan.Wdfload also includes a second, fallback method of blocking software. For the moment, malware experts can verify the secondary attack, which hijacks the HOST file to block the relevant servers, in deployment against Avast-brand products. HOST edits are more commonly implemented to redirect the victim's Web browser to a corrupted website or intercept confidential information, such as passwords.
Keeping the Ante on Anti-Software from Climbing Too High
Trojan.Wdfload is a significant threat for its supportive role, which helps keep your computer vulnerable to attacks over a prolonged time. Bundles that install Trojan.Wdfload propagate Bitcoin-mining Trojans currently, as well, which can cause hardware damage and degrade your system's performance. The PC security sector is providing free tools customized for removing the Registry-based blockade on the software certificates. As more thorough alternatives, the user can reboot through a method that avoids loading the compromised Registry or repair Windows.
Although Trojan.Wdfload's only role is disabling specialized applications, it enables a much wider variety of threatening software than itself and never should be assumed to be alone. Threat actors have been deploying this Trojan since May of 2017 through various infection vectors, and any security programs should be updated to use threat databases since that time. Having active anti-malware defenses remain integral to deleting Trojan.Wdfload beforehand, when possible.
Trojan.Wdfload sharply exemplifies the arms race situation between the on artists who deploy threatening software and the security researchers who try to stop them. As counterattack-based 'defenses' for Trojans continue mounting up, the value of preventing computer problems, instead of fixing them afterward, continues rising with them.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:%TEMP%\j0gokrsm.3k2\webfriend2.exe
File name: webfriend2.exeSize: 1.3 MB (1307821 bytes)
MD5: 5d7ec0baaa26f766d88fec4af2d1257c
Detection count: 115
File type: Executable File
Mime Type: unknown/exe
Path: %TEMP%\j0gokrsm.3k2
Group: Malware file
Last Updated: November 3, 2017
%TEMP%\4ca1ifi3.nyz\webfriend2.exe
File name: webfriend2.exeSize: 1.31 MB (1312862 bytes)
MD5: 6a805384ec05737af818e4786be04fb6
Detection count: 84
File type: Executable File
Mime Type: unknown/exe
Path: %TEMP%\4ca1ifi3.nyz
Group: Malware file
Last Updated: November 3, 2017
%TEMP%\0bpct1lz.yat\webfriend2.exe
File name: webfriend2.exeSize: 1.34 MB (1344075 bytes)
MD5: f4f8bd68427f60b8186b00b7fc94cadf
Detection count: 61
File type: Executable File
Mime Type: unknown/exe
Path: %TEMP%\0bpct1lz.yat
Group: Malware file
Last Updated: November 3, 2017
%TEMP%\ffdhbwqn.5mi\webfriend2.exe
File name: webfriend2.exeSize: 1.32 MB (1323653 bytes)
MD5: d36be2a7a50e76b9bb826a776ec9f5fd
Detection count: 35
File type: Executable File
Mime Type: unknown/exe
Path: %TEMP%\ffdhbwqn.5mi
Group: Malware file
Last Updated: November 3, 2017
C:\Users\<username>\AppData\Local\Temp\g7789.tmp.exe
File name: g7789.tmp.exeSize: 249.34 KB (249344 bytes)
MD5: 766d5232cde530be672cdfd713c43596
Detection count: 28
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Local\Temp\g7789.tmp.exe
Group: Malware file
Last Updated: November 2, 2021
%TEMP%\13dnia1g.u2d\webfriend2.exe
File name: webfriend2.exeSize: 1.34 MB (1341233 bytes)
MD5: a2e511ee4e61a87b0055ef1885e059a5
Detection count: 19
File type: Executable File
Mime Type: unknown/exe
Path: %TEMP%\13dnia1g.u2d
Group: Malware file
Last Updated: November 3, 2017
%TEMP%\qpbzqedg.dpa\webfriend2.exe
File name: webfriend2.exeSize: 1.32 MB (1325792 bytes)
MD5: a0d6bcc2af34b9fa68bb4abe22485756
Detection count: 9
File type: Executable File
Mime Type: unknown/exe
Path: %TEMP%\qpbzqedg.dpa
Group: Malware file
Last Updated: November 3, 2017
%PROGRAMFILES%\woolmyturboreport\woolmyturboreport.dll
File name: woolmyturboreport.dllSize: 2.24 MB (2246144 bytes)
MD5: 19e65228e04ad751ea81b9e7bdfee369
Detection count: 9
File type: Dynamic link library
Mime Type: unknown/dll
Path: %PROGRAMFILES%\woolmyturboreport\woolmyturboreport.dll
Group: Malware file
Last Updated: June 26, 2020
%TEMP%\5xd1ynrj.dpj\webfriend2.exe
File name: webfriend2.exeSize: 1.31 MB (1311389 bytes)
MD5: 561af8e9b994a14402e5b232ab7759ba
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %TEMP%\5xd1ynrj.dpj
Group: Malware file
Last Updated: November 3, 2017
Registry Modifications
Regexp file mask%PROGRAMFILES%\NetPhotos\NetPhotos.dll
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.