Fake Windows IME Trojan

Security researchers at Websense have discovered a new Trojan that are using a windows system to disable and delete antivirus software and compromising victim machine.

The Malicious program installs itself as the Windows input method editor (IME) and then stop all AV processes and delete the executable files and mask itself in the system as an antivirus update package.

Websense has issued a blog post defining the way that this Trojan is able to infect windows system. After running the malware a winnea.ime will be created under the system folder in windows.

By opening the default input method, the previous created file winnea.ime will start to search and detects antiviruses.

At the same time, winnea.ime creates a file called pcij.sys to the system folder and loads it as a driver process.

Next DeviceIOControl kills the running process of any antivirus in the list; the control code is sent to the driver process pcij.sys

As it is clear that the input method in Windows is now a popular way for hackers to inject malicious code.

make sure you subscribe to my RSS feed!