Is Your Windows “ws2_32.dll” File Safe?

The Windows Sockets Library ws2_32.dll, is required by windows and applications to handle network connections. SophosLabs recently published a detection, named W32/Patched-D, for infected ws2_32.dll files which attempts to download files onto the compromised computer.

The interesting trick is that the malicious transfer code (called Payload) hides itself inside an export function named connect rather than the usual entrypoint of the infected files. When an application calls the connect API function of the infected ws2_32.dll, it executes the function Payload shown in the picture, which attempts to connect to the following URLs to download files:

hxxp://vampire000tw.xxx.com
hxxp://vampire000tw.xxx.st/.com/

The identity W32/Patched-D has the capability to disinfect infected ws2_32.dll files. While this technique (hooking the virus code within another function call) is not new, it does highlight one of the tricks malware authors sometimes use to infect files, and control when a payload may be executed.