Virus:Win32/Patchload.R

Virus:Win32/Patchload.R is a generic detection for modified DLL files that are used to load arbitrary files that may already be present on an affected computer. In the wild, it has been observed being used to load files that are related to PWS:Win32/OnLineGames - a family of trojans that steals credentials and other related data for popular online games.

Installation

Virus:Win32/Patchload.R may be installed by other malware and present as a modified system DLL. For example, in the wild it has been found in modified versions of the following DLL (amongst others):

• imm32.dll

The malicious code is appended to the code section of the modified DLL file.

Payload

Loads arbitrary files

Upon execution of a modified DLL file, it loads an arbitrary number of files whose paths and names are hardcoded within its body.

In the wild, this malware has been observed attempting to load files with the following file name:

• wuautui.dll

These files may be related to the PWS:Win32/OnLineGames family.

Analysis by Lena Lin