Type:	Backdoor, Rootkit
Category:	Trojan
Platform:	Win32

Hearse.A is a backdoor that steals passwords and account information. It also installs a SOCKS proxy and a backdoor that allows access to an infected system. Hearse.A uses rootkit techniques to hide its files.

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

System installation

When the backdoor file is run, it drops the following two files to the Windows system directory:

Then the backdoor creates the following registry key:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zopenssl]
"DllName" = "zopenssl.dll"Durin the system start, this registry key loads the backdoor main file, zopenssl.dll, to the address space of Winlogon.exe. When the DLL is activated, it starts the rootkit as a system service and runs the actual backdoor.The rootkit system service is activated using the following arguments:

Hearse.A may also create the following files:

Rootkit Hiding Techniques

Hearse.A is able to hide the following items:

When it is active it hides its own files.Hearse.A installs and executes a kernel-mode driver (zopenssld.sys) to execute code in privilege level 0 (kernel mode). The kernel-mode code replaces the following function pointers from the system service table:

This allows it to inject code into any newly created process. In addition, it hides files or directories with any of the following names:

Backdoor functionality

Hearse.A uses HTTP requests for communicating with a remote server controlled by the attacker. The server may request the infected system to perform any of the following actions:

Hearse.A also starts up a SOCKS proxy on the infected system. The proxy port is reported back to the attacker by including it in the HTTP requests described above.