Input Method Editor (IME) Trojan Disables and Removes Anti-Virus

Websense has discovered an Input Method Editor Trojan. The Trojan masquerades as a security update and manipulates a windows component system used to input additional characters or symbols from an attached input device. According to the Websense advisory:

Websense® Security Labs™ ThreatSeeker™ Network has detected a type of trojan that uses the Windows input method editor (IME)  to inject a system. An IME is an operating system component or program that allows users to enter characters and symbols not found on their input device. For example, it could allow a user of a ‘Western’ keyboard to input Chinese, Japanese, Korean, and Indic characters.

The trojan can install itself as an IME, then it kills any running antivirus processes and deletes the installed antivirus executable files. The original executable file of this trojan disguises itself as an antivirus update package.

I have seen a lot of online Anti-Virus malware recently. Only use the Anti-Virus update included with your Anti-Virus program. Never run “updates” from an e-mail message or from websites. See the Websense site for more information and an indepth explanation of how the Trojan code works.


2 thoughts on “Input Method Editor (IME) Trojan Disables and Removes Anti-Virus”

  1. Hey bro! Had a great 4th, hope you did too.

    Very interesting link, thank you. Impressive picture on the WSJ article. My former boss was a Nuclear Power engineer. He told me an interesting story once. See all that wonderful electronic equipment in the control room? Well, the room below is full of the wires that connect all of that stuff. Their was a natural gas leak in the wire room at the plant he was at and an engineer brainiac was looking for it using his lighter. Yup, he started a fire.

    It just goes to show that people will always be the weakest link in defending your system. Beware the engineer with the lighter!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.