Threat Description

Details

Aliases: Hearse.A
Category: Malware
Type: Backdoor, Rootkit
Platform: W32

Summary



Hearse.A is a backdoor that steals passwords and account information. It also installs a SOCKS proxy and a backdoor that allows access to an infected system. Hearse.A uses rootkit techniques to hide its files.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



System installation

When the backdoor file is run, it drops the following two files to the Windows system directory:

  • zopenssl.dll
  • zopenssld.sys

Then the backdoor creates the following registry key: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zopenssl] "DllName" = "zopenssl.dll" Durin the system start, this registry key loads the backdoor main file, zopenssl.dll, to the address space of Winlogon.exe. When the DLL is activated, it starts the rootkit as a system service and runs the actual backdoor.The rootkit system service is activated using the following arguments:

  • BinaryPathName: zopenssld.sys
  • ServiceName: zopenssld
  • DisplayName: OPENSSL cryptoapi

Hearse.A may also create the following files:

  • nwr7.ies4
  • bklks.ies4
  • nwr8.ies4

Rootkit Hiding Techniques

Hearse.A is able to hide the following items:

  • Files and directories

When it is active it hides its own files.Hearse.A installs and executes a kernel-mode driver (zopenssld.sys) to execute code in privilege level 0 (kernel mode). The kernel-mode code replaces the following function pointers from the system service table:

  • NtCreateProcess
  • NtCreateProcessEx
  • NtQueryDirectoryFile

This allows it to inject code into any newly created process. In addition, it hides files or directories with any of the following names:

  • nwr7.ies4
  • zopenssl.dll
  • bklks.ies4
  • zopenssld.sys
  • nwr8.ies4

Backdoor functionality

Hearse.A uses HTTP requests for communicating with a remote server controlled by the attacker. The server may request the infected system to perform any of the following actions:

  • Run any program on the system
  • Download additional files
  • Spawn an interactive command shell
  • Create and send a screenshot of the desktop
  • Collect and send passwords and other account information
  • Uninstall the backdoor

Hearse.A also starts up a SOCKS proxy on the infected system. The proxy port is reported back to the attacker by including it in the HTTP requests described above.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More