Hearse.A is a backdoor that steals passwords and account information. It also installs a SOCKS proxy and a backdoor that allows access to an infected system. Hearse.A uses rootkit techniques to hide its files.
Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
When the backdoor file is run, it drops the following two files to the Windows system directory:
Then the backdoor creates the following registry key: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zopenssl] "DllName" = "zopenssl.dll" Durin the system start, this registry key loads the backdoor main file, zopenssl.dll, to the address space of Winlogon.exe. When the DLL is activated, it starts the rootkit as a system service and runs the actual backdoor.The rootkit system service is activated using the following arguments:
Hearse.A may also create the following files:
Hearse.A is able to hide the following items:
When it is active it hides its own files.Hearse.A installs and executes a kernel-mode driver (zopenssld.sys) to execute code in privilege level 0 (kernel mode). The kernel-mode code replaces the following function pointers from the system service table:
This allows it to inject code into any newly created process. In addition, it hides files or directories with any of the following names:
Hearse.A uses HTTP requests for communicating with a remote server controlled by the attacker. The server may request the infected system to perform any of the following actions:
Hearse.A also starts up a SOCKS proxy on the infected system. The proxy port is reported back to the attacker by including it in the HTTP requests described above.