Threat behavior
Virus:Win32/Patchload.A is a detection for files, typically DLL files, that are infected by a virus. When an infected file is executed it attempts to execute or load other files, which are often malicious.
In the wild, Windows system files such as <system folder>\dsound.dll and <system folder>\ddraw.dll have been infected and are then detected as Virus:Win32/Patchload.A.
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Some of the file names it attempts to execute or load are:
AVF.tmp
AV13.tmp
AV17.tmp
CHIBAV19.tmp
TIXAAV1A.tmp
AIONAV82.tmp
JXSJAV12.tmp
LVZTAV14.tmp
TLBBAV15.tmp
JXS3AV16.tmp
TIXAAV1A.tmp
CHIBAV1C.tmp
Analysis by Francis Allan Tan Seng
Prevention
