1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Hearse.A

Hearse.A

Type:Backdoor, Rootkit
Category:Trojan
Platform:Win32

Summary

Hearse.A is a backdoor that steals passwords and account information. It also installs a SOCKS proxy and a backdoor that allows access to an infected system. Hearse.A uses rootkit techniques to hide its files.

Disinfection

Detection and Disinfection of Rootkits

If the rootkit is not detected or is hidden so that FSAV cannot detect its files, it is still possible to detect the malicious activity by scanning the system with a generic rootkit scanner, such as F-Secure BlackLight. More information about F-Secure BlackLight Rootkit Elimination Technology can be found here:

http://www.f-secure.com/blacklight/

The BlackLight utility is also able to disinfect computers that are infected by rootkits.

Additional Details

System installation
When the backdoor file is run, it drops the following two files to the Windows system directory:
  • zopenssl.dll
  • zopenssld.sys
Then the backdoor creates the following registry key:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zopenssl]
"DllName" = "zopenssl.dll"

Durin the system start, this registry key loads the backdoor main file, zopenssl.dll, to the address space of Winlogon.exe. When the DLL is activated, it starts the rootkit as a system service and runs the actual backdoor.

The rootkit system service is activated using the following arguments:
  • BinaryPathName: zopenssld.sys
  • ServiceName: zopenssld
  • DisplayName: OPENSSL cryptoapi
Hearse.A may also create the following files:
  • nwr7.ies4
  • bklks.ies4
  • nwr8.ies4

Rootkit Hiding Techniques

Hearse.A is able to hide the following items:
  • Files and directories
When it is active it hides its own files.

Hearse.A installs and executes a kernel-mode driver (zopenssld.sys) to execute code in privilege level 0 (kernel mode). The kernel-mode code replaces the following function pointers from the system service table:
  • NtCreateProcess
  • NtCreateProcessEx
  • NtQueryDirectoryFile
This allows it to inject code into any newly created process. In addition, it hides files or directories with any of the following names:
  • nwr7.ies4
  • zopenssl.dll
  • bklks.ies4
  • zopenssld.sys
  • nwr8.ies4

Backdoor functionality

Hearse.A uses HTTP requests for communicating with a remote server controlled by the attacker. The server may request the infected system to perform any of the following actions:
  • Run any program on the system
  • Download additional files
  • Spawn an interactive command shell
  • Create and send a screenshot of the desktop
  • Collect and send passwords and other account information
  • Uninstall the backdoor
Hearse.A also starts up a SOCKS proxy on the infected system. The proxy port is reported back to the attacker by including it in the HTTP requests described above.

Detection

F-Secure Anti-Virus detects this malware with the following updates:

[FSAV_Database_Version]
Version = 2006-03-23_02.

Write-up: Jarkko Turkulainen

Technical Details: Jarkko Turkulainen & Kimmo Kasslin, March 23, 2006

Description Updated: Sean Sullivan, March 23, 2006

F-Secure Corporation