RiskTool.Win64.ProcPatcher

Riskware covers legitimate programs (some of which are sold publicly and commonly used for legitimate purposes), which can cause damage when they fall into the hands of malicious users (and are used to delete, block, modify, or copy data, or disrupt the performance of computers or networks). Programs in this class include remote administration utilities, IRC clients, dialer programs, file downloaders, software for monitoring computer activity, password management utilities, and numerous Internet server services such as FTP, web, proxy and telnet. These programs are not malicious in themselves, although they do have functions that can be used for malicious purposes. For example, a remote administration program such as WinVNC provides access to the interface of a remote computer and uses a remote machine to control or monitor it. This is how its functions are described on the developer’s official website: VNC stands for Virtual Network Computing. It is remote control software which allows you to view and interact with one computer (the “server”) using a simple program (the “viewer”) on another computer anywhere on the Internet. The two computers don’t even have to be the same type, so for example you can use VNC to view an office Linux machine on your Windows PC at home. VNC is freely and publicly available and is in widespread active use by millions throughout industry, academia and privately. This is a legitimate piece of software that is publicly available and a necessity for system administrators and other technical specialists. However, in the hands of malicious users, this program is capable of damaging user data; our Virus Lab has recorded incidents in which WinVNC was secretly installed in order to obtain full remote access to someone else’s computer. Another example is the mIRC utility. This is an IRC network client that is also a legitimate program: mIRC is a shareware IRC client for Windows. It is developed and copyrighted by Khaled Mardam-Bey. mIRC is a highly configurable IRC client with all the goodies other clients on UNIX, Macintosh and even on windows offer, combined with a *nice* and clean user interface. mIRC offers full color text lines, DCC File Send and Get capabilities, programmable aliases, a remote commands and events handler, place sensitive popup menu’s, a great Switchbar, World Wide Web and sound support, and… a lot more. mIRC is shareware but not crippled in any way… The extended features of mIRC can also be used by malicious users — our Virus Lab regularly identify Trojan programs (backdoors, in particular) which use mIRC functions. Any IRC backdoor is capable of writing its own scripts to the mIRC configurations file and successfully delivering its malicious payload without the knowledge of the user. The mIRC user won’t even suspect that a Trojan is running on his computer. Often, malicious programs install the mIRC client themselves for later malicious use. In such cases, mIRC is usually saved to the Windows folder and its subfolders. If mIRC is detected in these folders, it almost always means that the computer has been infected with some type of malicious programs. By default, the option to detect Riskware is disabled in Kaspersky Lab products. However, the user can always enable this option. Our opinion is that the user should make his/ her own decision.

Programs in this category have a number of functions (such as concealing files in the system, hiding windows running applications, terminating active processes, etc.) which can be used with malicious intent. They are, in themselves, not malicious. Unlike programs classified as NetTool, RiskTool programs are designed to operate on the local computer. If a user has installed such a program on his/her computer, or if it was installed by a system administrator, then it does not pose any threat.

Win64 is a platform on Windows-based operating systems for execution of 32-/64-bit applications. Win64 programs cannot be launched on 32-bit versions of Windows.

Programs of this family make changes to running OS processes, which reduces the software protection level. Usually these programs are used to “crack” or activate software that requires a license.

Geographical distribution of attacks by the RiskTool.Win64.ProcPatcher family

Geographical distribution of attacks during the period from 19 January 2016 to 19 January 2017

Top 10 countries with most attacked users (% of total attacks)

* Percentage among all unique Kaspersky Lab users worldwide attacked by this riskware