Results 1 to 3 of 3

Thread: Spybot should detect & remove these rootkits:

  1. #1
    Join Date
    Jun 2006

    Arrow Spybot should detect & remove these rootkits:

    Spybot should detect & remove these rootkits:

    1) Rootkit.hearse

    It attempts to download several pieces of Spyware, Adware, and Trojans, in addition to the rootkit. The rootkit has two pieces: the first piece is a device driver named 'zopenssld.sys', and a DLL named 'zopenssl.dll'. The device driver appears to cloak any file named 'zopenssld.sys' or 'zopenssl.dll' regardless of where they reside, though the malicious versions are located in the System32 folder. While the DLL was invisible on the file system, it is visible as an injected DLL in many running processes. Since zopenssl.dll registers itself as a Winlogon.exe extension and does not run as a process, most users would never see it, and it can survive even in safe mode. he Trojan appears not to be active at all times, but it does wake up and start communicating when it sees a user browsing to a website that requires authentication. To view it in action, a virtual machine was infected with the rootkit and Trojan, and then the user browsed to hxxx://, and entered a fake username and password. All of the network traffic was recorded, and after ending the web browser session, the Trojan communication became apparent. After further investigation, it was determined that this Malware was sending information to a web server located in Russia. Ironically, this web server was not secured, and any user browsing the site could view the information that was being stolen.

    2) Spybot - hpsebc08.exe and msdirectx.sys


    - cannot open Word or Excel
    - machine hangs up
    - Symantec crashes
    - regedit and task manager closes immediately


    Is the value IPOT USB Service DRV32 which runs the file hpsebc08.exe. The file is hidden and located under c:\Windows\System32. If you do a search for hpsebc08, you'll also find a Prefetch file (.pf).

    it drops, msdirectx.sys, which is detected as the generic "hacktool.rootkit". This virus attempts to connect to an outside server using IP address with port 19899.
    Last edited by tashi; 2007-01-06 at 08:18. Reason: Disabled Url
    Unified Network of Instructors and Trained Eliminators

    Alliance of Security Analysis Professionals™

  2. #2
    Member rene's Avatar
    Join Date
    Oct 2005



    Rootkit.hearse has been added to the detection rules. Next week it will be addedt to the beta detection rules.

    The other one i´m working on.


  3. #3
    Junior Member
    Join Date
    Dec 2006

    Default Thank you...

    Good for you. I knew there was no hypocrisy at safer networking. Now, a question. I go to the Secunia website regularly for updates on what bad stuff is out there. They are particularly good at rooting out exploits in the cyber world. Does Safer Networking use their system scan? I have, and it is very useful. It's a Java application, and is good at finding outdated app's.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts