Patched (malware)

From Wikipedia, the free encyclopedia
Technical namewin32/Patched
  • W32/Patched.*
  • Win32.Patched.*
  • Virus:Win32/Patched.*
  • Trojan:WinNT/Patched.*
TypeComputer virus
Operating system(s) affectedMicrosoft Windows

Win32/Patched is a computer Trojan targeting the Microsoft Windows operating system that was first detected in October 2008.[1] Files detected as "Trojan.Win32.Patched" are usually Windows components that are patched by a malicious application. The purpose of patching varies. For example, certain malware patches system components in order to disable security, such as the Windows Safe File Check feature. Other malware can add parts of its code to a system component and then patch certain functions of the original file to point to an appended code.[2]


This Trojan operates through modification to legitimate systems files on an infected system.[3] Additionally, malware can add parts of its code to a system component and then patch certain functions of the original file to point to an appended code. The most frequently patched components are:

  • winlogon.exe
  • wininet.dll
  • kernel32.dll
  • iexplore.exe
  • services.exe.[2][4]

Initial infection[edit]

  • Variant R replaces the original legitimate system file "sfc.dll" with a patched version. The original "sfc.dll" may have been moved by malware to another location within the same computer. Trojan:Win32/Patched.R is capable of loading other files. It may be installed by other malware.[5]
  • Variant I represent malicious, and packed, Win32 programs. Many malicious programs are packed with particular utilities in an attempt to avoid detection.[6]
  • Variant C defines corrupted DLL files that are modified to load an additional DLL. This variant may also attack and corrupt the services.exe executable[1]
  • Variant A can modify a legitimate DLL file on an infected system.[3]


There are no obvious symptoms that indicate the presence of this malware on an affected machine. Additionally, there are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).[1]

Removal and detection[edit]

It is not advised to delete, rename or quarantine patched Windows components because it may affect system stability. Even though Windows locks its main files while it is active, it might be still possible to affect them.

If the user's anti-virus software detected a certain file as Trojan.Win32.Patched, they could attempt to have it create a copy of a patched file, try to restore its contents, and then it will add a renaming command into the Windows Registry in order to replace the patched file with a cleaned one during the next Windows startup.

A restoration to one of the recent System Restore points may be advisable. In many cases a patched system component will be replaced with a clean one. Before restoring a System Restore point it is advised to back up all personal data to avoid losing it when Windows rolls back to a previously saved state.

Windows Installation discs contain a repair option that can replace the patched file.

Another course of action includes attaching a hard drive with a patched file as slave to a similar Windows-based system, boot up and to replace a patched file with a file taken from a clean system.[2]


  1. ^ a b c Malware Encyclopedia: Virus:Win32/Patched.C, Microsoft, 2008-10-22, retrieved 2012-07-06
  2. ^ a b c Virus and threat descriptions: Trojan:W32/Patched, F-Secure, retrieved 2012-07-06
  3. ^ a b Malware Encyclopedia: Virus:Win32/Patched.A, Microsoft, 2009-09-30, retrieved 2012-07-06
  4. ^ In-The-Field Analysis of "TrojanHorse:win32/Patched.c.LYT" Virus, RapidWhiz, archived from the original on 2013-01-22, retrieved 2012-07-06
  5. ^ Malware Encyclopedia: Virus:Win32/Patched.R, Microsoft, 2010-01-16, retrieved 2012-07-06
  6. ^ Malware Encyclopedia: Virus:Win32/Patched.I, Microsoft, 2010-01-16, retrieved 2012-07-06