Hearse.A is a backdoor that steals passwords and account information. It also installs a SOCKS proxy and a backdoor that allows access to an infected system. Hearse.A uses rootkit techniques to hide its files.
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
When the backdoor file is run, it drops the following two files to the Windows system directory:
Then the backdoor creates the following registry key: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zopenssl] "DllName" = "zopenssl.dll" Durin the system start, this registry key loads the backdoor main file, zopenssl.dll, to the address space of Winlogon.exe. When the DLL is activated, it starts the rootkit as a system service and runs the actual backdoor.The rootkit system service is activated using the following arguments:
- BinaryPathName: zopenssld.sys
- ServiceName: zopenssld
- DisplayName: OPENSSL cryptoapi
Hearse.A may also create the following files:
Rootkit Hiding Techniques
Hearse.A is able to hide the following items:
- Files and directories
When it is active it hides its own files.Hearse.A installs and executes a kernel-mode driver (zopenssld.sys) to execute code in privilege level 0 (kernel mode). The kernel-mode code replaces the following function pointers from the system service table:
This allows it to inject code into any newly created process. In addition, it hides files or directories with any of the following names:
Hearse.A uses HTTP requests for communicating with a remote server controlled by the attacker. The server may request the infected system to perform any of the following actions:
- Run any program on the system
- Download additional files
- Spawn an interactive command shell
- Create and send a screenshot of the desktop
- Collect and send passwords and other account information
- Uninstall the backdoor
Hearse.A also starts up a SOCKS proxy on the infected system. The proxy port is reported back to the attacker by including it in the HTTP requests described above.