Win32/Weelsof

Weelsof is a ransomware family consisting of Police Trojans and similar threats that display fake legal alerts. Although different versions of Weelsof Trojans are years-old in distribution, recent attacks have provided possible evidence of renewed infection methods that target potential airline customers. For deleting Weelsof and similar Trojans, malware experts recommend standard security protocols for disabling their warning messages, after which a suitable anti-malware product should be able to remove this threat.

Buying a Flight with Trojans Aboard

Weelsof consists of a variety of members, such as the previously-examined Trojan.Weelsof.C, all of which display consistent standards for their attacks. Although some Weelsof warning messages may claim to be able to encrypt files on your computer, malware analysts have not seen any such functions from Weelsof Trojans. Instead, Weelsof blocks access to your computer by locking the Windows desktop and displaying a warning message referencing various legal institutions (which are variable, according to the region of the infected PC).

The most recent Weelsof Trojans circulate themselves in e-mail spam that disguised their installers as printable documentation confirming a ticket purchase with Delta Airlines. In at least one such attack, evidence has been corroborated to confirm that the victim intended to travel to the destination cited in the Trojan's e-mail message. These details may be indicative of other security breaches elsewhere, even before the opening of this file attachment.

As per usual ransomware attacks, Weelsof blocks any access to other programs or files until its demands are met, which involve the transfer of cash via vouchers.

Taking the Wheels Off of the Weelsof Ransom Tactic

Weelsof's last campaign has been ongoing for over a month, but PC users can continue to protect themselves by enacting the same standards malware researchers have recommended versus similar Windows locker Trojans. You should treat with high suspicion any seemingly 'official' e-mail messages that recommend your opening file attachments. Even apparently harmless files, such as text documents, may include embedded exploits for installing Weelsof.

Most anti-malware products with good database management should be able to detect variants of Weelsof, which is a thoroughly identified and well-researched family of threats. If your anti-malware products become blocked by Weelsof, restart your PC in Safe Mode or use a recovery USB device to disable Weelsof's startup routine. Because of Weelsof's penchant for using random file names and hiding its files in Windows directories, manually deleting Weelsof is discouraged for the potential damage Weelsof may cause to your OS.

In all attacks by Trojans that purport to be a part of a law enforcement agency, you should be able to identify the obvious warning signs and respond appropriately. Legitimate legal institutions never will request a money transfer through cash vouchers or Bitcoins (a secondary option for some forms of ransomware), nor will they lock your computer via desktop pop-ups.

Technical Details