New Trojan Disguises as IME

Researchers at Websense (a security company) states that they have detected a new PC Trojan, whose name the security company does not disclose, attempts to elude antivirus detection via planting itself as an Input Method Editor (IME).

An IME represents a program or component of the operating system which allows users add symbols and characters not presnt in their input tool. Thus, it can let someone using an English-language keyboard enter Japanese, Indic, Korean or Chinese characters.

Websense outlines that this Trojan's actual executable file masks itself as an update of antivirus software.

Explaining how the Trojan works, Hermes Li, Researcher at Websense, says that once executed, the malicious .exe file opens another file inside the system directory that it names "winnea.ime." This new file is a DLL (Dynamic Link Library) file, but it is installed in the guise of an IME file, as reported by Softpedia on July 6, 2010.

When winnea.ime is placed in memory, it scans the computer system's active processes for specific AV applications such as McAfee, Kaspersky, Rising or Kingsoft. In case, any of these applications is detected, the Trojan effectively disables the process as well as eliminates the associated .exe files.

To carry out this final activity, another program named 'pcij.sys' is installed in the form of certain system driver that winnea.ime initially produces. The driver summons operations such as ObReferenceObjectByHandle or DeviceIoControl for the completion of the task, Websense explains.

Websense also highlights that this fast assessment demonstrates a fascinating method which PC trojans can utilize for introducing themselves into a machine. The "input method" too appears to acquire momentum since attackers apparently identify it as an appealing technique for inserting malware into an end-user's computer. During May-end 2010, AVG noted an attack of quite similar kind that aimed at Chinese users who tend to utilize Input Method Editors.

For keeping the risk accompanying the new Trojan low, computer users are recommended that they should always make sure their security software is up to date.

Related article: New Zealand Releases Code To Reduce Spam

» SPAMfighter News - 16-07-2010

All SPAMfighter products offer a free trial!

SPAMfighter is a free spam filter for Outlook, Outlook Express,Windows Mail, Windows Live Mail and Thunderbird.

Optimize your Slow PC for better performance. Try FREE scan now

Disk space recovery
and disk optimization. Try FULL-DISKfighter free

SPAMfighter Exchange Module is a Spam filter for Exchange server - Free 30 days trial.

Remove Spyware with SPYWAREfighter - Free 30 days trial

Antivirus software for your Windows PC - Free 30 days trial