Samiksha Jaiswal (Editor)

Patched (malware)

Updated on
Edit
Like
Comment
Share on FacebookTweet on TwitterShare on LinkedInShare on Reddit
Technical name
  
win32/Patched

Type
  
Computer virus

Isolation
  
2008

Family
  
Malware

Subtype
  
Trojan

Aliases
  
W32/Patched.* Win32.Patched.* Virus:Win32/Patched.* Trojan:WinNT/Patched.*

Win32/Patched is a Computer Trojan targeting the Microsoft Windows operating system that was first detected in October 2008. Files detected as "Trojan.Win32.Patched" are usually Windows components that are patched by a malicious application. The purpose of patching varies. For example, certain malware patches system components in order to disable security, such as the Windows Safe File Check feature. Other malware can add parts of its code to a system component and then patch certain functions of the original file to point to an appended code.

Contents

Operation

This Trojan operates through modification to legitimate systems files on an infected system. Additionally, malware can add parts of its code to a system component and then patch certain functions of the original file to point to an appended code. The most frequently patched components are:

  • winlogon.exe
  • wininet.dll
  • kernel32.dll
  • iexplore.exe
  • services.exe.

    • Initial Infection

  • Variant R replace the original legitimate system file "sfc.dll" with a patched version. The original "sfc.dll" may have been placed by malware into another location within the same computer. Trojan:Win32/Patched.R is capable of loading other files. It may be installed by other malware.
  • Variant I represent malicious, and packed, Win32 programs. Many malicious programs are packed with particular utilities in an attempt to avoid detection.
  • Variant C defines corrupted DLL files that are modified to load an additional DLL. This variant may also attack and corrupt the services.exe executable
  • Variant A can modify a legitimate DLL file on an infected system.

    • Symptoms

    There are no obvious symptoms that indicate the presence of this malware on an affected machine. Additionally, There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).

    Removal And Detection

    It is not advised to delete, rename or quarantine patched Windows components because it may affect system stability. Even though Windows locks its main files while it is active, it might be still possible to affect them.

    If your Anti-Virus software detected a certain file as Trojan.Win32.Patched you can attempt to have it create a copy of a patched file, try to restore its contents, and then it will add a renaming command into the Windows Registry in order to replace the patched file with a cleaned one during the next Windows startup.

    A restoration to one of the recent System Restore points may be advisable. In many cases a patched system component will be replaced with a clean one. Before restoring a System Restore point it is advised to backup all personal data to avoid losing it when Windows rolls back to a previously saved state.

    Windows Installation discs contain a repair option that can replace the patched file.

    Another course of action includes attaching a hard drive with a patched file as slave to a similar Windows-based system, boot up and to replace a patched file with a file taken from a clean system.

    Prevention

  • Enable a firewall on your computer.
  • Get the latest computer updates for all your installed software.
  • Use up-to-date antivirus software.
  • Use caution when opening attachments and accepting file transfers.
  • Use caution when clicking on links to web pages.
  • Protect yourself against social engineering attacks.

    • References

    Patched (malware) Wikipedia
    (Text) CC BY-SA