Websense® Security Labs™ ThreatSeeker™ Network has detected a type of trojan that uses the Windows input method editor (IME) to inject a system. An IME is an operating system component or program that allows users to enter characters and symbols not found on their input device. For example, it could allow a user of a 'Western' keyboard to input Chinese, Japanese, Korean, and Indic characters.
The trojan can install itself as an IME, then it kills any running antivirus processes and deletes the installed antivirus executable files. The original executable file of this trojan disguises itself as an antivirus update package.
When a user runs the trojan, it creates a file named winnea.ime under the system folder,The .ime file type is primarily associated with 'Global Input Method Editor' by Microsoft Corporation:
In the above example, winnea.ime is a Dynamic Link Library (DLL) file, but pretends to be an input method file and is installed as an input method. The input parameter "5Ah" was used by SystemParametersInfo Function(sub_131486C0) to change the user profile in the Windows registry to set the default IME:
When the user opens the default input method, the file winnea.ime loads and detects an antivirus list:
At the same time, winnea.ime releases a file named pcij.sys to the system folder and loads it as a driver process:
Then it calls DeviceIOControl to kill the running process of any antivirus in the list; the control code is sent to the driver process pcij.sys:
The pcij.sys file is used to find all running antivirus processes and kill them by calling the ObReferenceObjectByHandle function:
This quick analysis shows an interesting way that trojans can use to inject themselves into a system. The input method in Windows is now a popular way for hackers to inject malicious code.
Websense Messaging and Websense Web Security customers are protected against these attacks.