Home / malware Virus:Win32/Patchload.P
First posted on 12 July 2011.
Source: SecurityHomeAliases :
Virus:Win32/Patchload.P is also known as Win-Trojan/Patched.DD (AhnLab), Packed.Win32.Katusha.b (Kaspersky), W32/Patched.BH (Norman), Win32/Patched.HK trojan (ESET), W32/Katusha (McAfee), Trojan.Paccyn!inf (Symantec), PTCH_KATUSHA.CK (Trend Micro).
Explanation :
Virus:Win32/Patchload.P is the detection for files that are modified by other malware.
Top
Virus:Win32/Patchload.P is the detection for files that are modified by other malware.
Installation
Virus:Win32/Patchload.P may be present in the computer as a modified executable files in which the malicious code is appended to the last section. The executable file may have been a legitimate file prior to its modification.
Payload
Runs another file
Virus:Win32/Patchload.P attempts to retrieve the data from the following registry entry to generate a 5-digit number:
In subkey: HKLM\SYSTEM\Setup\Pid
And value: "Pid"
Using the generated 5-digit number, Virus:Win32/Patchload.P attempts to execute a file with the following format, this file may be malicious:
- <system folder>\c_<5-digit number>.nls
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Analysis by Jonathan San Jose
Last update 12 July 2011
