It's irony when malware that drops and installs Chinese IME into victim`s system pretends to be a regular AV component.
It was first discovered on common Chinese website infected by "Aurora" exploit. This exploit execution causes that malware file qi.exe is downloaded into vulnerable system.
qi.exe pretends to be an 360 Safe Guarder (Chinese AV company) update component using same icon and file version info as this AV company does.
When gi.exe is executed it drops another malware into system folder:
C:\WINDOWS\system32\MiAnHuAtIaNg.ime
and installs it as default Input Method Editor by modifying the following registry:
HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804 "Ime File" = "MIANHUATIANG.IME"
HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804 "Layout Text" = "cn(ext)"
HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804 "Layout File" = "kbdus.dll"
HKCU\Keyboard Layout\Preload "3" = "E0200804"
HKCU\Keyboard Layout\Preload "1" = "E0200804"
what's interesting hiding method.
Ironically, dropped malware is in fact KillAV trojan and it kills 360 Safe Guarder (and also other Antivirus software) using Image File Execution Options:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.EXE "debugger" = "ntsd -d"
It also exports a few functions. Functions “DIKOU” and ”Sete” are the real malware payload. Others functions are just useless (do nothing). The only reason why malware exports those functions is to convince victims that ”I am normal IME file, don’t remove me”.
Detection of menitoned malware is very low at the time. AVG detects qi.exe as Trojan horse Generic17.CEPF, MiAnHuAtIaNg.ime as Trojan horse KillAV.AQT and also infected webpages as infected by Exploit.Aurora.
To remove this infection simply delete detected files.
(thanx to "Frank" Zheng)
