Threat Description



Category: Malware
Type: Backdoor, Rootkit
Platform: W32
Aliases: Hearse.A


Hearse.A is a backdoor that steals passwords and account information. It also installs a SOCKS proxy and a backdoor that allows access to an infected system. Hearse.A uses rootkit techniques to hide its files.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

System installation

When the backdoor file is run, it drops the following two files to the Windows system directory:

  • zopenssl.dll
  • zopenssld.sys

Then the backdoor creates the following registry key: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zopenssl] "DllName" = "zopenssl.dll" Durin the system start, this registry key loads the backdoor main file, zopenssl.dll, to the address space of Winlogon.exe. When the DLL is activated, it starts the rootkit as a system service and runs the actual backdoor.The rootkit system service is activated using the following arguments:

  • BinaryPathName: zopenssld.sys
  • ServiceName: zopenssld
  • DisplayName: OPENSSL cryptoapi

Hearse.A may also create the following files:

  • nwr7.ies4
  • bklks.ies4
  • nwr8.ies4
Rootkit Hiding Techniques

Hearse.A is able to hide the following items:

  • Files and directories

When it is active it hides its own files.Hearse.A installs and executes a kernel-mode driver (zopenssld.sys) to execute code in privilege level 0 (kernel mode). The kernel-mode code replaces the following function pointers from the system service table:

  • NtCreateProcess
  • NtCreateProcessEx
  • NtQueryDirectoryFile

This allows it to inject code into any newly created process. In addition, it hides files or directories with any of the following names:

  • nwr7.ies4
  • zopenssl.dll
  • bklks.ies4
  • zopenssld.sys
  • nwr8.ies4
Backdoor functionality

Hearse.A uses HTTP requests for communicating with a remote server controlled by the attacker. The server may request the infected system to perform any of the following actions:

  • Run any program on the system
  • Download additional files
  • Spawn an interactive command shell
  • Create and send a screenshot of the desktop
  • Collect and send passwords and other account information
  • Uninstall the backdoor

Hearse.A also starts up a SOCKS proxy on the infected system. The proxy port is reported back to the attacker by including it in the HTTP requests described above.


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More