Home / malwarePDF  

Virus:Win32/Patchstart.A


First posted on 18 January 2010.
Source: SecurityHome

Aliases :

There are no other names known for Virus:Win32/Patchstart.A.

Explanation :

Virus:Win32/Patchstart.A is a detection for DLL files that are infected by a virus.
Top

Virus:Win32/Patchstart.A is a detection for DLL files that are infected by a virus. When the infected DLL is loaded by a program it attempts to execute/load other files (assumed to probably be malicious). It executes/loads files from a list found in the following configuration file: <system folder>\wsconfig.db Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. For example, one instance of the configuration file specified that the following files should be loaded: C:\WINDOWS\system32\kb128215715.dll C:\WINDOWS\system32\kb828215727.dll C:\WINDOWS\system32\kb928215755.dll C:\WINDOWS\system32\kb328215818.dll C:\WINDOWS\system32\kb1128215827.dll C:\WINDOWS\system32\kb62822030.dll C:\WINDOWS\system32\kb122822038.dll C:\WINDOWS\system32\kb142822053.dll C:\WINDOWS\system32\kb162822144.dll In the wild, we have observed Windows system files such as <systemDir>\imm32.dll - (IMM Input Method Manager) being infected with Virus:Win32/Patchstart.A. Virus:Win32/Patchstart.A infects files by appending code to the end of the targeted file. The code is appended by adding a new section with the section name ".ss32".

Analysis by Dan Kurc and Francis Allan Tan Seng

Last update 18 January 2010

 

TOP