Fake Windows IME Trojan
Security researchers at Websense have discovered a new Trojan that are using a windows system to disable and delete antivirus software and compromising victim machine.
The Malicious program installs itself as the Windows input method editor (IME) and then stop all AV processes and delete the executable files and mask itself in the system as an antivirus update package.
Websense has issued a blog post defining the way that this Trojan is able to infect windows system. After running the malware a winnea.ime will be created under the system folder in windows.
By opening the default input method, the previous created file winnea.ime will start to search and detects antiviruses.
At the same time, winnea.ime creates a file called pcij.sys to the system folder and loads it as a driver process.
Next DeviceIOControl kills the running process of any antivirus in the list; the control code is sent to the driver process pcij.sys
As it is clear that the input method in Windows is now a popular way for hackers to inject malicious code.
make sure you subscribe to my RSS feed!
[…] This post was mentioned on Twitter by Kimberly and Mourad Ben Lakhoua. Mourad Ben Lakhoua said: RT @sectechno: Fake Windows IME Trojan http://www.sectechno.com/2010/07/11/fake-windows-ime-trojan/ #security #infosec […]
Yikes, sounds bad.
Yes we used to say make sure to update your antivirus, I don't no now what to update!
RT @MBenLakhoua: RT @sectechno: Fake Windows IME Trojan http://www.sectechno.com/2010/07/11/fake-windows-ime-trojan/ #security #infosec
RT @MBenLakhoua: RT @sectechno: Fake Windows IME Trojan http://bit.ly/9afPrF #security #infosec
RT @MBenLakhoua: RT @sectechno: Fake Windows IME Trojan http://www.sectechno.com/2010/07/11/fake-windows-ime-trojan/ #security #infosec
RT @sectechno: Fake Windows IME Trojan http://www.sectechno.com/2010/07/11/fake-windows-ime-trojan/ #security #infosec
RT @sectechno: Fake Windows IME Trojan http://www.sectechno.com/2010/07/11/fake-windows-ime-trojan/ #security #infosec
Fake Windows IME Trojan: [sectechno.com] Security researchers at Websense have discovered a new Trojan that are… http://dlvr.it/2XnVN
RT @MBenLakhoua: RT @sectechno: Fake Windows IME Trojan http://www.sectechno.com/2010/07/11/fake-windows-ime-trojan/ #security #infosec
RT @MBenLakhoua: RT @sectechno: Fake Windows IME Trojan http://www.sectechno.com/2010/07/11/fake-windows-ime-trojan/ #security #infosec
RT @sectechno: Fake Windows IME Trojan http://www.sectechno.com/2010/07/11/fake-windows-ime-trojan/ http://fb.me/CUwa39ch
RT @sectechno: Fake Windows IME Trojan http://www.sectechno.com/2010/07/11/fake-windows-ime-trojan/ http://fb.me/CUwa39ch