14 DAY TRIAL // Security researchers from Websense have come across a computer trojan, which tries to evade antivirus detection by installing itself as an IME (Input Method Editor). The malware attempt to kill several antivirus programs if they are installed on the victim computer.
The new Trojan, which Websense doesn't name in its report, arrives on the target system as an executable file called update.exe. Judging by its icon and name the file masquerades as an update packaged for an antivirus program.
When run, the malicious executable creates a file called winnea.ime in the system folder and executes it. "winnea.ime is a Dynamic Link Library (DLL) file, but pretends to be an input method file and is installed as an input method," Hermes Li, a Websense researcher, explains.
An Input Method Editor, or IME for short, is a Windows component allowing users to input special characters, like those from Asian or Arabic languages, using a standard English layout keyboard. It basically assigns standard keyboard keys to correspond to characters in the language the IME was designed for.
Once loaded in memory, the winnea.ime file scans the running processes to see if certain antivirus programs like Kaspersky, McAfee, Kingsoft or Rising are running. If any of them are detected, the trojan is able to kill the process and delete the executable files associated with it.
This last operation is performed through another component called pcij.sys, which is generated by winnea.ime and is loaded as a system driver. The driver calls functions like DeviceIoControl or ObReferenceObjectByHandle to complete its task.
"The input method in Windows is now a popular way for hackers to inject malicious code," Li concludes. And indeed, it does appear that this method is gaining some traction. At the end of May, AVG reported a very similar threat targeting Chinese users, which are more prone to using IMEs.
You can follow the editor on Twitter @lconstantin