What Is wow6432node Malware?

Wow6432node is a SysWoW64 file that is installed with 32-bit versions of Windows.

By default, the file is located in the C:\Windows\SysWOW64 folder, and its original name is Ntdll.dll (and it was copied there when you had Windows installed).

As its name suggests, wow6432node is a part of Windows 32-bit on 64-bit (x64) systems. However, it does not have to be located in the aforementioned location – it can be copied to

C:\Windows\System32 folder as well, and you will see two wow6432node files.

Since wow6432node is a system file that runs inside any application developed for x86 architecture, its access rights should only allow Administrators to modify them. In practice, this is not always true. If your computer is infected with malware that modifies syswow64/system32/ntdll.dll file permissions, then all applications running on your PC will run with SYSTEM privileges because all run under a single user.

Behaviour

wow6432node is loaded into every process that runs on Windows 32-bit, whether this application was designed for x86 or x64 architecture. The filename has nothing to do with what the process does – you can see any Windows program/service loading ntdll.dll, but this does not mean that they are bugged or malicious.

Alternate Names Of wow6432node

SysWow64\Ntdll.dll
NTDLL.DLL (32-bit versions of Windows Vista/7, confirmed by Microsoft)
wow64.dll (Windows Vista x64, which was released before the SysWow64 folder existed; 32-bit version can be found in System32)
ntdll.dll (for convenience and backwards compatibility – because this file is used by all versions of Windows 32 and 64 bit).

Malicious Modifications

However, running an infected program will increase your chances of getting infected with malware yourself because the program itself now has SYSTEM privileges! That’s why it’s important to ensure that all processes using wow6432node are legitimate applications and not malware in disguise.

A legitimate program that loads a wrong version of ntdll.dll will exhibit different symptoms from a malware-infected process:

Legitimate Application

If the program crashes, it will probably create an error report containing information about all loaded modules in its memory when it crashed.
The crash dump file created may be huge (up to several dozens of Mb) and contain full paths to all loaded modules when the program crashes. In this case, you can open the dump file with the WinDbg utility.
The bug check code consists of the first two digits representing the exception code, and the rest can be random numbers or data.
The dump file created only contains a small subset of loaded modules (usually, just one module with its path and image name – an EXE file instead of DLL). However, this .dmp file is not 100% reliable because some legitimate applications generate memory dumps containing primarily zeros.

How Does wow6432node Malware Affect User?

The malware attempts to download and install additional malicious/unwanted programs on the user’s computer.
It may hijack the original homepage and search provider of the user’s browser.
Spyware, adware or other unwanted software is installed without the knowledge or permission of the user.
In some cases, it can severely damage your system installation by deleting critical system files.

Prevention From wow6432node Malware

To prevent wow6432node from being loaded into each process automatically, you have the following options:

Delete a proper version of ntdll.dll from %WINDIR%\System32 folder
Modify permissions on the file to make it writable by anyone.
You should be very careful when deleting files, especially operating system files! However, if you are sure that the infected version of ntdll.dll came from malware – simply delete it. If you suspect that some other application hijacks it automatically – don’t remove that application.
Manually clear all values in the registry key.

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\Windows in order to delete all references to wow6432node DLL.

Rename the Dummy folder %WINDIR%\SysWoW64\Dummy so it will not be automatically loaded when you reboot your computer.

Alternatively, if you are unable or unwilling to modify the registry yourself, anti-virus uses a 3rd party tool that does it for you.

Many anti-virus programs can detect and remove malware files from infected processes’ memory space (before they infect other programs). However, this requires constant updates to cover newly created processes by malware writers, making detection based on signatures useless after some time passes since the virus has been released. That’s why some anti-virus companies use online scanning services to prevent malware from ever infecting the file system.

How To Clean wow6432node Malware From Your Computer

If the infected file was a downloaded program or a media file, you could use a different browser or a unique removal tool to clean it. Most well-known anti-virus companies provide free tools that remove malware from websites you visit automatically. However, this is not always effective because many browsers have security holes that malware can exploit to infect your file system even if you never visit the infected site or download any infected files.
If an application crashes, then use its installation disk to uninstall it.
If the infection affects many programs – try Microsoft Safety Scanner. It is an easy-to-use on-demand scanner that can remove viruses from your computer without the need to download any software. However, it is not effective if malware prevents you from starting some programs or modifying system files.
If none of this helps – use a professional cleaner. It has more advanced tools for removing rootkits and rogue security products, which regular anti-virus scanners cannot be found.

Conclusion

To conclude, if you don’t want to use any additional tools – just reinstall your operating system and transfer all essential data from backups. It is best for removing wow6432node malware because it wipes out all non-native file systems hidden by malware.