Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

June 11th, 2009

What is Win32:Patched [Trj]

A patch is a utility that can be used to change a few bytes in the original file. It’s usually used to bypass license validation or to enable a hidden function. These patches are normally used with the knowledge and agreement of the user. However, another group of patches is actually malware which is used to perform the same functions without the user’s knowledge or agreement. In this case, system files are patched to gain backdoor access to a system (i.e. by changing the startup key to run the malware after booting). These files are detected by avast! as Win32:Patched.

The difference between file infectors (viruses) and patches is shown in the picture below. Patches just change a few bytes and can’t spread themselves. File infectors infect (patch) the victim file and add a virus body to perform a malicious action and can infect other files.

Different between Patcher x File infector

Differences between Patcher x File infector

The bad guys always target their patch to system files. The system file user32.dll is the most often patched file. By patching just one byte, the intended malware can be run automatically after starting windows.

The following table shows the most In-The-Wild Win32:Patched detections:

Detection name Patched files
Win32:SysPatch [Wrm] user32.dll
Win32:Patched-HO [Trj] any
Win32:Patched-HN [Trj] Windows Live Messenger
Win32:Patched-CK [Trj] %System32%\*.exe
Win32:Patched-JI [Trj] any
Win32:Patched-JQ [Trj] %System32%\actxprxy.dll
Win32:Patched-KG [Trj] any
Win32:Patched-KD [Trj] %System32%\mswsock.dll
Win32:Patched-HQ [Trj] any
Win32:Patched-JU [Trj] %System32%\kernel32.dll

The chart below shows the distribution of patched files detected by avast. You can see that nearly 50% of all patched files are user32.dll.

Distribution of patched files detected by Avast

Distribution of patch files detected by Avast

Categories: lab Tags:
Comments are closed.