SophosLabs blog

The Windows Sockets Library ws2_32.dll, is required by windows and applications to handle network connections. SophosLabs recently published a detection, named W32/Patched-D, for infected ws2_32.dll files which attempts to download files onto the compromised computer.

The interesting trick is that the malicious transfer code (called Payload) hides itself inside an export function named connect rather than the usual entrypoint of the infected files. When an application calls the connect API function of the infected ws2_32.dll, it executes the function Payload shown in the picture, which attempts to connect to the following URLs to download files:

hxxp:/vampire000tw.xxx.com
hxxp:/vampire000tw.xxx.st/.com/

The identity W32/Patched-D has the capability to disinfect infected ws2_32.dll files. While this technique (hooking the virus code within another function call) is not new, it does highlight one of the tricks malware authors sometimes use to infect files, and control when a payload may be executed.

Posted on October 12th, 2009 by Rowland, SophosLabs AU
Filed under: Malware

                                         

Windows 7 security - A great leap forward or business as usual?

Related posts

• W32/Liji-A virus propagation
• NCD - interesting file similarity metric
• Use the front door, not the windows!
• Windows Blocked
• A portion of games with a Windows Mobile worm on the side