IMPORTANT NOTE: If you have been affected by this trojan, change
your Windows domain and RAS password immediatly.
Hooker is a password and data stealing trojan. Being run it
installs itself as KERN32.EXE (name may differ in different
versions) into \Windows\System\ directory and modifies RunOnce
key in the Registry to be run during next Windows session. When
activated next time the trojan renews the RunOnce key, so it
becomes active during all Windows sessions.
After initial installation the trojan drops a keylogging DLL from
inside its body (as HKSDLL.DLL, but the name can be different in
different versions) and registers itself as a service process.
This way its task is not visible in Task Manager.
The trojan monitors keyboard commands, captures logins and
passwords for RAS (Remote Access Server), gets information about
a network (IPs, passwords, scripts) where an infected computer is
connected to and sends all this info to an e-mail address that is
stored in encrypted format in the trojan's body. The trojan uses
an anonymous mail server to send e-mails, the name of the server
is also stored in the trojan's body in encrypted form.
The trojan is installed on an infected system for a limited time.
After its time limit expires, the trojan deletes itself from a
system.
[Analysis: Alexey Podrezov; F-Secure Corp.; May 2001]
