Win32/Patched.CH

If you are getting alerts that a threat called Win32/Patched.CH has been found on your system, you may be surprised to learn that the scope of the infection (and the scope of the problem) is much larger than some malicious file. The fact of the matter is that there is no virus called Win32/Patched.CH. What you can be sure of, however, is that detection of Win32/Patched.CH on your system is a sign that a dangerous threat is present. If you get alerts mentioning Win32/Patched.CH, it is strongly recommended that you do something as soon as possible in order to identify and eliminate the virus that is at fault. In this case, the Trojan at fault is one from the family of System Defender, Alureon – or as it is more commonly known, Zlob.

What it Means to Get an Alert about Win32/Patched.CH

When there’s the presence of Win32/Patched.CH it means that there is a problem with a specific driver – it is not a systematic infection. However, the driver problem is the result of an infection with some variation on Zlob. Different anti-virus software call this problem different things when it detects the driver issue, and there are many more aliases. Microsoft classifies Win32/Patched.CH as Win32/Alureon.G; Kapersky calls it Rootkit.Win32.TDSS.ai, and the other major anti-virus companies have their own similar classifications, usually including one or more of the terms "Win32", "Patched", or "TDSS". Remember, though, these names only refer to the problem that is detected in a driver, not to the virus that is the cause of the problem.

Win32/Patched.CH refers to an infection in the Windows system driver atapi.sys, which is the miniport driver for the hard disk for Windows. The Trojan infecting the computer targets this driver and corrupts it, making it unusable. The driver affected varies depending on the computer's hardware configuration, and atapi.sys is just the most commonly affected driver because it is the most frequently used. The Zlob Trojan that targets this driver also looks for other hard disk miniport drivers that correspond to other hard disk configurations, and it will infect and corrupt those if the system doesn't use atapi.sys.

What Makes Win32/Patched.CH Dangerous

It is relatively common for the user of an infected computer to encounter a report of Win32/Patched.CH as the only visible symptom of the Trojan's activity. So, unfortunately, many people whose computers are infected with this variety of Zlob seriously underestimate the scope of the problem. The Trojans that corrupt atapi.sys exist solely for the purpose of stealing information and connecting the victim's computer to a botnet. Win32/Patched.CH was created with the goal of financial gain. Win32/Patched.CH can steal user information such as usernames and passwords, credit card information, and other banking information. Win32/Patched.CH can also be used in order to command the PC without the user's knowledge, in order to create fraudulent clicks on ads, conduct targeted Internet searches in order to manipulate search results, redirect the web browser to manipulate what the user sees, and install other malicious software. Therefore, the detection of Win32/Patched.CH is a sign that the computer is at risk of very considerable damage, possibly even causing the keyboard to become inoperable – and, of course, the user's private information can be exposed and stolen, as well.

It is unclear how long the Trojans that cause the Win32/Patched.CH error have been active, but there are reports of the Win32/Patched.CH errors going back to 2007 with an apparent spike of infections in spring 2010. Win32/Patched.CH is still a problem, because the viruses responsible are still active, and so this threat can't be safely ignored.