Patched (malware)
Win32/Patched is a computer Trojan targeting the Microsoft Windows operating system that was first detected in October 2008.[1] Files detected as "Trojan.Win32.Patched" are usually Windows components that are patched by a malicious application. The purpose of patching varies. For example, certain malware patches system components in order to disable security, such as the Windows Safe File Check feature. Other malware can add parts of its code to a system component and then patch certain functions of the original file to point to an appended code.[2]
Technical name | win32/Patched |
---|---|
Aliases |
|
Family | Malware |
Type | Computer virus |
Subtype | Trojan |
Isolation | 2008 |
Operation
This Trojan operates through modification to legitimate systems files on an infected system.[3] Additionally, malware can add parts of its code to a system component and then patch certain functions of the original file to point to an appended code. The most frequently patched components are:
Initial infection
- Variant R replaces the original legitimate system file "sfc.dll" with a patched version. The original "sfc.dll" may have been moved by malware to another location within the same computer. Trojan:Win32/Patched.R is capable of loading other files. It may be installed by other malware.[5]
- Variant I represent malicious, and packed, Win32 programs. Many malicious programs are packed with particular utilities in an attempt to avoid detection.[6]
- Variant C defines corrupted DLL files that are modified to load an additional DLL. This variant may also attack and corrupt the services.exe executable[1]
- Variant A can modify a legitimate DLL file on an infected system.[3]
Symptoms
There are no obvious symptoms that indicate the presence of this malware on an affected machine. Additionally, there are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).[1]
Removal and detection
It is not advised to delete, rename or quarantine patched Windows components because it may affect system stability. Even though Windows locks its main files while it is active, it might be still possible to affect them.
If your anti-virus software detected a certain file as Trojan.Win32.Patched you can attempt to have it create a copy of a patched file, try to restore its contents, and then it will add a renaming command into the Windows Registry in order to replace the patched file with a cleaned one during the next Windows startup.
A restoration to one of the recent System Restore points may be advisable. In many cases a patched system component will be replaced with a clean one. Before restoring a System Restore point it is advised to backup all personal data to avoid losing it when Windows rolls back to a previously saved state.
Windows Installation discs contain a repair option that can replace the patched file.
Another course of action includes attaching a hard drive with a patched file as slave to a similar Windows-based system, boot up and to replace a patched file with a file taken from a clean system.[2]
Prevention
- Enable a firewall on your computer.
- Get the latest computer updates for all your installed software.
- Use up-to-date antivirus software.
- Use caution when opening attachments and accepting file transfers.
- Use caution when clicking on links to web pages.
- Protect yourself against social engineering attacks.
References
- Malware Encyclopedia: Virus:Win32/Patched.C, Microsoft, 2008-10-22, retrieved 2012-07-06
- Virus and threat descriptions: Trojan:W32/Patched, F-Secure, retrieved 2012-07-06
- Malware Encyclopedia: Virus:Win32/Patched.A, Microsoft, 2009-09-30, retrieved 2012-07-06
- In-The-Field Analysis of "TrojanHorse:win32/Patched.c.LYT" Virus, RapidWhiz, archived from the original on 2013-01-22, retrieved 2012-07-06
- Malware Encyclopedia: Virus:Win32/Patched.R, Microsoft, 2010-01-16, retrieved 2012-07-06
- Malware Encyclopedia: Virus:Win32/Patched.I, Microsoft, 2010-01-16, retrieved 2012-07-06