Fake Windows IME Trojan

Security researchers at Websense have discovered a new Trojan that are using a windows system to disable and delete antivirus software and compromising victim machine.

The Malicious program installs itself as the Windows input method editor (IME) and then stop all AV processes and delete the executable files and mask itself in the system as an antivirus update package.

Websense has issued a blog post defining the way that this Trojan is able to infect windows system. After running the malware a winnea.ime will be created under the system folder in windows.

By opening the default input method, the previous created file winnea.ime will start to search and detects antiviruses.

At the same time, winnea.ime creates a file called pcij.sys to the system folder and loads it as a driver process.

Next DeviceIOControl kills the running process of any antivirus in the list; the control code is sent to the driver process pcij.sys

As it is clear that the input method in Windows is now a popular way for hackers to inject malicious code.

make sure you subscribe to my RSS feed!

Share
Subscribe
Notify of
guest
13 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
trackback

[…] This post was mentioned on Twitter by Kimberly and Mourad Ben Lakhoua. Mourad Ben Lakhoua said: RT @sectechno: Fake Windows IME Trojan https://www.sectechno.com/2010/07/11/fake-windows-ime-trojan/ #security #infosec […]

Anti-Gumblar

Yikes, sounds bad.

Mourad

Yes we used to say make sure to update your antivirus, I don't no now what to update!

trackback

RT @MBenLakhoua: RT @sectechno: Fake Windows IME Trojan https://www.sectechno.com/2010/07/11/fake-windows-ime-trojan/ #security #infosec

trackback

RT @MBenLakhoua: RT @sectechno: Fake Windows IME Trojan http://bit.ly/9afPrF #security #infosec

trackback

RT @MBenLakhoua: RT @sectechno: Fake Windows IME Trojan https://www.sectechno.com/2010/07/11/fake-windows-ime-trojan/ #security #infosec

trackback

RT @sectechno: Fake Windows IME Trojan https://www.sectechno.com/2010/07/11/fake-windows-ime-trojan/ #security #infosec

trackback

RT @sectechno: Fake Windows IME Trojan https://www.sectechno.com/2010/07/11/fake-windows-ime-trojan/ #security #infosec

trackback

Fake Windows IME Trojan: [sectechno.com] Security researchers at Websense have discovered a new Trojan that are… http://dlvr.it/2XnVN

trackback

RT @MBenLakhoua: RT @sectechno: Fake Windows IME Trojan https://www.sectechno.com/2010/07/11/fake-windows-ime-trojan/ #security #infosec

trackback

RT @MBenLakhoua: RT @sectechno: Fake Windows IME Trojan https://www.sectechno.com/2010/07/11/fake-windows-ime-trojan/ #security #infosec

trackback
trackback