F-Secure Trojan Information Pages : Hearse.A [ Summary ] | [ Disinfection ] | [ Detailed Description ] | [ Detection ] Name: Hearse.A Type: Backdoor, Rootkit Category: Trojan Platform: Win32 Summary Hearse.A is a backdoor that steals passwords and account information. It also installs a SOCKS proxy and a backdoor that allows access to an infected system. Hearse.A uses rootkit techniques to hide its files. Disinfection Detection and Disinfection of Rootkits If the rootkit is not detected or is hidden so that FSAV cannot detect its files, it is still possible to detect the malicious activity by scanning the system with a generic rootkit scanner, such as F-Secure BlackLight. More information about F-Secure BlackLight Rootkit Elimination Technology can be found here: http://www.f-secure.com/blacklight/ The BlackLight utility is also able to disinfect computers that are infected by rootkits. Back to the Top Detailed Description System installation When the backdoor file is run, it drops the following two files to the Windows system directory: zopenssl.dll zopenssld.sys Then the backdoor creates the following registry key: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zopenssl] "DllName" = "zopenssl.dll" Durin the system start, this registry key loads the backdoor main file, zopenssl.dll, to the address space of Winlogon.exe. When the DLL is activated, it starts the rootkit as a system service and runs the actual backdoor. The rootkit system service is activated using the following arguments: BinaryPathName: zopenssld.sys ServiceName: zopenssld DisplayName: OPENSSL cryptoapi Hearse.A may also create the following files: nwr7.ies4 bklks.ies4 nwr8.ies4 Rootkit Hiding Techniques Hearse.A is able to hide the following items: Files and directories When it is active it hides its own files. Hearse.A installs and executes a kernel-mode driver (zopenssld.sys) to execute code in privilege level 0 (kernel mode). The kernel-mode code replaces the following function pointers from the system service table: NtCreateProcess NtCreateProcessEx NtQueryDirectoryFile This allows it to inject code into any newly created process. In addition, it hides files or directories with any of the following names: nwr7.ies4 zopenssl.dll bklks.ies4 zopenssld.sys nwr8.ies4 Backdoor functionality Hearse.A uses HTTP requests for communicating with a remote server controlled by the attacker. The server may request the infected system to perform any of the following actions: Run any program on the system Download additional files Spawn an interactive command shell Create and send a screenshot of the desktop Collect and send passwords and other account information Uninstall the backdoor Hearse.A also starts up a SOCKS proxy on the infected system. The proxy port is reported back to the attacker by including it in the HTTP requests described above. Back to the Top Detection F-Secure Anti-Virus detects this malware with the following updates: [FSAV_Database_Version] Version = 2006-03-23_02. Back to the Top Write-up: Jarkko Turkulainen Technical Details: Jarkko Turkulainen & Kimmo Kasslin, March 23, 2006 Description Updated: Sean Sullivan, March 23, 2006 F-Secure Corporation