Weather Zero is a dropper-like unwanted program that disguises itself as a weather widget for Windows. It spreads as potentially unwanted software via bundling and can deliver malware to the target system. Its innocent looks make a lot of people ignore it or believe it is completely harmless and thus have little to no haste in removing it. Let me explain its dangers in detail and show how to remove the unwanted program from the system.
Weather Zero Overview
Weather Zero appears to be a program that displays real-time weather information. At first glance, it seems to be just a tiny weather widget that sits in the lower right corner. To be completely fair, it is less than useful in modern Windows 10/11 systems, as they have a similar widget built directly into the taskbar. But the key problem of the app goes far beyond duplicating the system functions: it has some malware-like capabilities. Weather Zero can in fact act as a dropper, aiming at delivering a payload of other malware to the target system.
The most widespread way of spreading for Weather Zero is some shady software that you can find online. Game mods, trainers, cheats, “patches” for older games, or outright pirated software – all this typically comes from no-name developers that are free to inject whatever junkware they want. And Weather Zero is just another participant in this scheme.
Technical Analysis
To prove the claims made earlier, let’s get into the technical aspects of Weather Zero and uncover why this program is not what it claims to be.
The first red flag is that this program performs checks for virtual environments and debuggers, which is unusual for a typical application. Normally, apps are agnostic about their environments; hardware checks may be a thing, but it is about a rather short checklist. With this app, I’ve seen the checks of the following files and registry keys:
C:\WINDOWS\wininit.ini
C:\Windows\system32\drivers\etc\hosts
HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
HKEY_LOCAL_MACHINE\Hardware\description\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
As inferred from the names of these keys, the program is checking BIOS information, hardware details, and specifically searching for keys related to virtual machines. This behavior is definitely not typical for a weather widget.
After ensuring it is not running in a virtual environment, the program collects basic system information. This “fingerprint” does not include confidential data but is used to identify the infected machine. This step, like the previous one, is characteristic of malware rather than a regular weather widget.
C2 Connection
The dubious program connects to its command and control (C2) servers by calling to the following IP addresses.
TCP 172.67.211.190:443
TCP 20.99.132.105:443
TCP 104.26.11.57:443
UDP 192.168.0.13:137
TCP 142.250.69.195:80
Notably, a lot of them correspond to weatherzero.com, microsoft.com, Azure, Google, Cloudflare, and Amazon Web Services. This may be the indication that Weather Zero makes some genuine calls, or simply does some useless actions to confuse the security systems.
Payload
Next, the app in question proceeds with its primary task – delivering its payload into the system. The program drops the following DLL files into the temporary system folder %USERPROFILE%\AppData\Local\Temp:
nsaE521.tmp\INetC.dll
nsvF2EC.tmp\INetC.dll
nsz528C.tmp\INetC.dll
nso2BAD.tmp\INetC.dll
Since Weather Zero was installed with administrative privileges, it can execute these DLL files with the highest level of privileges. The payload I’ve got in my observations appears to be something dull and uninteresting, but I suspect this is due to its detection of a virtualized environment. It is not clear whether this junkware can deploy “serious” malware, or stop on adware and browser hijackers, like some of the similar programs do.
How To Remove Weather Zero?
To remove Weather Zero, use GridinSoft Anti-Malware: it will reliably remove the virus and protect against other threats, regardless of their source. Download it through the link below and follow the guide to make your system as clean as new.
Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.
After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.
Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.
I recently installed WeatherZero on my computer and was planning to uninstall it, but then a window popped up.