Input Method Editor (IME) Trojan Disables and Removes Anti-Virus

Websense has discovered an Input Method Editor Trojan. The Trojan masquerades as a security update and manipulates a windows component system used to input additional characters or symbols from an attached input device. According to the Websense advisory:

Websense® Security Labs™ ThreatSeeker™ Network has detected a type of trojan that uses the Windows input method editor (IME)  to inject a system. An IME is an operating system component or program that allows users to enter characters and symbols not found on their input device. For example, it could allow a user of a ‘Western’ keyboard to input Chinese, Japanese, Korean, and Indic characters.

The trojan can install itself as an IME, then it kills any running antivirus processes and deletes the installed antivirus executable files. The original executable file of this trojan disguises itself as an antivirus update package.

I have seen a lot of online Anti-Virus malware recently. Only use the Anti-Virus update included with your Anti-Virus program. Never run “updates” from an e-mail message or from websites. See the Websense site for more information and an indepth explanation of how the Trojan code works.