Content
Patched User32
- Type
- Program
- SubType
- Discovery Date
- 05/16/2008
- Length
- Minimum DAT
- 5297 (05/16/2008)
- Updated DAT
- 5631 (05/30/2009)
- Minimum Engine
- 5.2.00
- Description Added
- 05/16/2008
- Description Modified
- 12/05/2008 8:35 AM (PT)
Tab Navigation
Characteristics
This is a detection for legitimate user32.dll Windows file patched by W32/Mariofev.worm.
All the dynamic libraries listed in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs are loaded automatically with every program linked against user32.dll.
W32/Mariofev.worm patches user32.dll to change the registry key mentioned above to another value, randomly generated. All dynamic libraries listed in this newly created registry key will then be injected automatically in every program linked against user32.dll.
This allows stealth automatic dynamic libraries injection.
Symptoms
Method of Infection
Removal
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Variants
Variants
N/A
All Information
Overview -
Characteristics
Characteristics -
This is a detection for legitimate user32.dll Windows file patched by W32/Mariofev.worm.
All the dynamic libraries listed in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs are loaded automatically with every program linked against user32.dll.
W32/Mariofev.worm patches user32.dll to change the registry key mentioned above to another value, randomly generated. All dynamic libraries listed in this newly created registry key will then be injected automatically in every program linked against user32.dll.
This allows stealth automatic dynamic libraries injection.
Symptoms
Symptoms -
Method of Infection
Method of Infection -
Removal -
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
