Fake Input Method Editor(IME) Trojan
Jul 07
Websense® Security Labs™ ThreatSeeker™ Network has detected a type of trojan that uses the Windows input method editor (IME) to inject a system. An IME is an operating system component or program that allows users to enter characters and symbols not found on their input device. For example, it could allow a user of a 'Western' keyboard to input Chinese, Japanese, Korean, and Indic characters.
The trojan can install itself as an IME, then it kills any running antivirus processes and deletes the installed antivirus executable files. The original executable file of this trojan disguises itself as an antivirus update package.
When a user runs the trojan, it creates a file named winnea.ime under the system folder,The .ime file type is primarily associated with 'Global Input Method Editor' by Microsoft Corporation:
In the above example, winnea.ime is a Dynamic Link Library (DLL) file, but pretends to be an input method file and is installed as an input method. The input parameter "5Ah" was used by SystemParametersInfo Function(sub_131486C0) to change the user profile in the Windows registry to set the default IME:
When the user opens the default input method, the file winnea.ime loads and detects an antivirus list:
At the same time, winnea.ime releases a file named pcij.sys to the system folder and loads it as a driver process:
Then it calls DeviceIOControl to kill the running process of any antivirus in the list; the control code is sent to the driver process pcij.sys:
The pcij.sys file is used to find all running antivirus processes and kill them by calling the ObReferenceObjectByHandle function:
This quick analysis shows an interesting way that trojans can use to inject themselves into a system. The input method in Windows is now a popular way for hackers to inject malicious code.
Websense Messaging and Websense Web Security customers are protected against these attacks.
Posts Related to Fake Input Method Editor(IME) Trojan
Analysis of a backdoor’s communication process
Websense Security Labs™ ThreatSeeker™ Network has detected a backdoor written by a Chinese hacker spreading in the wild. In this blog we shall explore what ...
thanks !! rather very helpful article
I have developed a blog and I was thinking of changing the template.Yours looks pretty decent! Feel free to visit my blog and suggest things!
Most of the times i visit a blog I notice that most blogs are amateurish. Regarding your blog,I could honestly say that you writting is decent and your website solid.
P90x Is one of the best workout I ever follow it,from your post I come yo know few new things that can help me out.
Love the blog here. Nice colors. I am definitely keeping up on the comments here. I hope to see more from you in the near future.
You are not the average blog author, man. You surely have something important to add to the net. Such a wonderful blog. I’ll be back for more.
Thanks bud. Nice website you have here. Got some extra sites to direct to with more information?
Hello, an awesome blog post dude. Thnkx Unfortunately I am experiencing trouble with the RSS feed. Unable to subscribe to it. Does anyone getting identical RSS problem? Anyone who can assist kindly respond. Thank you.
Surprisingly! It is like you understand my mind! You seem to know so much about this, just like you wrote the book in it or something. I think that you can do with some images to drive the content home a bit, besides that, this is good blog. A wonderful read. I’ll certainly be back.
Random question: I know you are using WordPress for this blog, but have you tried any other platforms? I am trying to decide whether to use WordPress or BlogEngine and I ask because I like yours.
Is there any way to subscribe to this post? I’d like to be updated on the comments here as they come in. I’ve always been somewhat of a debater and I’d like to hear other’s opinions on this issue.
Random question: I know you are using WordPress for this blog, but have you tried any other platforms? I am trying to decide whether to use WordPress or BlogEngine and I ask because I like yours.
I recently came across your website and have been reading a lot of posts of yours. I just thought I’d add a quick comment and let you know that you’ve got a really nice blog. I’ll watch out for updates from you!