Threat Description

Trojan:​W32/Patched

Details

Aliases: Trojan:​W32/Patched, Trojan.Win32.Patched
Category: Malware
Type: Trojan
Platform: W32

Summary



A trojan, or trojan horse, is a seemingly legitimate program which secretly performs other, usually malicious, functions. It is usually user-initiated and does not replicate.



Removal



It is not advisable to delete, rename or quarantine patched Windows components because it may affect system stability. Even though Windows locks its main files while it is active, it might be still possible to affect them.

Disinfection

If your F-Secure Anti-Virus detected a certain file as Trojan.Win32.Patched, please first try to select the "Disinfect" action. In this case, F-Secure Anti-Virus will create a copy of a patched file, try to restore its contents, and then it will add a renaming command into the Windows Registry in order to replace the patched file with a cleaned one during the next Windows startup.

System Restore Points

In case the approach described above fails, try to restore one of the recent System Restore points. In many cases a patched system component will be replaced with a clean one. Before restoring a System Restore point it is advised to backup all personal data to avoid loosing it when Windows rolls back to a previously saved state.

Repair

Windows Installation discs contain a repair option. Boot from the CD and select the option to repair. Again, it is advisable to backup your personal data.

If nothing helps to clean an patched system component, the last resort is to attach a hard drive with a patched file as slave to a similar Windows-based system, boot up and to replace a patched file with a file taken from a clean system.

Note: A file used for replacement must be the same version as a patched file. This operation should be done by an experienced computer technician only.



Technical Details



Trojan:W32/Patched is a detection for files (usually Windows components) that are patched by a malicious application.

The purpose of patching varies. For example, some malware will patch system components in order to disable security, such as the Windows Safe File Check feature; others will add malicious code to a system component and then patch certain functions of the original file to point to the added code.

The most frequently patched components are:

  • winlogon.exe
  • wininet.dll
  • kernel32.dll
  • iexplore.exe

Note

Achtung: False Positive Notification

The 2008-11-04_04 database contained a false positive on a German language Windows XP Service Pack 2 file called User32.dlllocated in the C:\WINDOWS\system32 folder. The detection was named Trojan.Win32.Patched.dn and is resolved in the 2008-11-04_06 update.

If you were alerted to Trojan.Win32.Patched.dn, please make sure that you have the most current update, and that User32.dll has not been renamed.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More