A patch is a utility that can be used to change a few bytes in the original file. It's usually used to bypass license validation or to enable a hidden function. These patches are normally used with the knowledge and agreement of the user. However, another group of patches is actually malware which is used to perform the same functions without the user's knowledge or agreement. In this case, system files are patched to gain backdoor access to a system (i.e. by changing the startup key to run the malware after booting). These files are detected by avast! as Win32:Patched.
The difference between file infectors (viruses) and patches is shown in the picture below. Patches just change a few bytes and can't spread themselves. File infectors infect (patch) the victim file and add a virus body to perform a malicious action and can infect other files.
The bad guys always target their patch to system files. The system file user32.dll is the most often patched file. By patching just one byte, the intended malware can be run automatically after starting windows.
The following table shows the most In-The-Wild Win32:Patched detections:
Detection name |
Patched files |
Win32:SysPatch [Wrm] |
user32.dll |
Win32:Patched-HO [Trj] |
any |
Win32:Patched-HN [Trj] |
Windows Live Messenger |
Win32:Patched-CK [Trj] |
%System32%\*.exe |
Win32:Patched-JI [Trj] |
any |
Win32:Patched-JQ [Trj] |
%System32%\actxprxy.dll |
Win32:Patched-KG [Trj] |
any |
Win32:Patched-KD [Trj] |
%System32%\mswsock.dll |
Win32:Patched-HQ [Trj] |
any |
Win32:Patched-JU [Trj] |
%System32%\kernel32.dll |
The chart below shows the distribution of patched files detected by avast. You can see that nearly 50% of all patched files are user32.dll.