Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Hooker


Aliases:


Hooker
Trojan.PSW.Hooker

Malware
Trojan
W32

Summary

IMPORTANT NOTE: If you have been affected by this trojan, change your Windows domain and RAS password immediately.

Hooker is a password and data stealing trojan. Being run it installs itself as KERN32.EXE (name may differ in different versions) into \Windows\System\ directory and modifies RunOnce key in the Registry to be run during next Windows session. When activated next time the trojan renews the RunOnce key, so it becomes active during all Windows sessions.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

After initial installation the trojan drops a keylogging DLL from inside its body (as HKSDLL.DLL, but the name can be different in different versions) and registers itself as a service process. This way its task is not visible in Task Manager.

The trojan monitors keyboard commands, captures logins and passwords for RAS (Remote Access Server), gets information about a network (IPs, passwords, scripts) where an infected computer is connected to and sends all this info to an e-mail address that is stored in encrypted format in the trojan's body. The trojan uses an anonymous mail server to send e-mails, the name of the server is also stored in the trojan's body in encrypted form.

The trojan is installed on an infected system for a limited time. After its time limit expires, the trojan deletes itself from a system.





Technical Details: Alexey Podrezov; F-Secure Corp.; May 2001



Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.