PE_PATCHED.SMB
Windows 2000, XP, Server 2003
Threat Type: File infector
Destructiveness: No
Encrypted:
In the wild: Yes
TECHNICAL DETAILS
Other Details
Based on analysis of the codes, it has the following capabilities:
- This is the Trend Micro detection for copies of the legitimate Windows file IMM32.DLL which have been injected with a malicious code.
- The patching of the said legitimate file was made as part of the autostart technique of the main component file, or possibly other component files. The patched DLL file searches for and executes a possibly malicious file named ole.dll.
SOLUTION
Step 1
For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.
Step 2
Scan your computer with your Trend Micro product and note files detected as PE_PATCHED.SMB
Step 3
Restore a modified system file back to its folder location
Step 4
Scan your computer with your Trend Micro product to delete files detected as PE_PATCHED.SMB. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.