by ACrazzi & Shade
Written in Visual C++
Released in July 1999
Made in Russia
Hooker, the intelligent trojan keylogger ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (version 2.4) Disclaimer ~~~~~~~~~~ This program was created in educational purposes only. Authors do not will be liable for data loss, damages, loss of profits for any other kind of loss while using or misusing this program. No person or company may charge a fee for the distribution of Hooker. Authors do not will be liable for any kind of illegal using of this program. Hooker may be distributed freely without any charge for it. Authors do not mind about the disassembling of any part of code. If you do not agree with this terms, stop using this program. What is Hooker? ~~~~~~~~~~~~~~~ Hooker is the simple mailing trojan. Here is the list of it's features: - keylog function (fairly simple, not so extended like in HookDump) - You can define any option you can imagine - there are tons of them - Hooker can look for RAS-connections - Hooker can download files from any location in internet and start them absolutely invisible from user - you can use hooker as intruding module for starting the bigger trojans like NetBus or BO - Works under any Win32 platform (Win95/98/NT) - Well-commented sources are available for free - you can build your very own version of hooker ;) Trojan part is written on MS Visual C++ 5.0. MFC or any another nonstandard libraries wasn't used. Therefore, Hooker can be executed on any Win32 platform with minimum set of DLLs. May be, Hooker can be compiled under Borland C or even Watcom, but we have not tested it. I think that Hooker can be viewed as a classical sample of trojan. And may be, someone can build smth really good based on Hooker. And may be, he (or she) will even credit us... :) Installation in system ~~~~~~~~~~~~~~~~~~~~~~ During the first run Hooker moves it's body into directory which is predefined in the configuration. You should keep in mind following things, when you will choose the place in registry from which Hooker will run: HKEY_LOCAL_MACHINE - Hooker will start with any user HKEY_CURRENT_USER - Hooker will start only with current user \Software\Microsoft\Windows\CurrentVersoin\, and variants: Run if there is only name of file w/o path, Hooker must be in the directory, which is defined in the %PATH% environment variable. Remember, that system directory is not defined in %PATH% by default. RunServices file must be placed in the system directory (if there is only name without path). Works only under Win95/98. RunOnce used to run file only once. During the boot, OS will start file, then wait for it's termination and then kill it from RunOnce. RunServicesOnce like a RunOnce, but for system directory. Does not work under WinNT. Hooker can be called from RunOnce and RunServicesOnce, and it will not pause the boot process, because it will restart imediatelly with the Restart_ID key, where ID is the ident number (DWORD, computed from the date and time of configuration). Hooker will not be started only once, because it will rewrite it's sting in RunOnce (RunServicesOnce) in a short period of time. Keylogging ~~~~~~~~~~ Keylogging feature is very simple under Win32. It can be done using the system hook. All you need is to redefine CallBack function used for keypresses to yours, which must be situated in DLL. In Hooker CallBack function writes pressed keys in little buffer in the segment of dynamic data for this DLL. By calling of the appropriate DLL-functions you can free this buffer or read information from it. We recommend to give different names to keylogging dll for every configuration you create. There are some options for keylog which you can choose depending of the aims you follow and preferred size of log: - Hooker can log keypresses in the every window or only in windows which have predefined substring in it's titles (for example, "login", "passw", "term" etc). - Hooker can log all keys including SHIFT, ALT, TAB, CTRL, Caps Lock etc or log only text-keys (chars etc). - sometimes you want to spy for pc - then set "Log windows where nothing was pressed" feature on. Believe us, you can get so many information just in looking the titles and links your "victim" surfs. If you do not want keylog feature, then just delete all substring to search and set "Full keylog" option off. Detecting of modem-connections. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ How program can say, are you connected to internet or not? There is no solution which can cover all the situations. If user connects to inet using the Dial-Up Networking, then he or she is using RAS-functions - it's the mostly used case, and in this case RASAPI32.DLL is used. But sometimes people connects to inet via LAN, and RAS is not used. Therefore, you must wisely set option "RAS" - set it to on if RAS is used, and to off if not. If connection is successfully established, Hooker logs time, phone number, IP of user and IP of server. Web-files downloading and executing ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of programs for remote administering if countless. BackOrifice, NetBus, DeepThroat, WinCrash... Tons... And their weight (in kbs) is usually tons. :) Hooker's size is only 20 kb, but it is not so complex like BO. And here goes one of the innovating options: hooker can download and execute files from web using http protocol. Hooker downloads file from web in the system directory of windows and then executes it. If connection will be crashed during the download, Hooker will redownload file as far as possible. Check for a update performs every 30 minutes. If you want to download file from a nonstandard http port write addres like this: www.myhost.com/file.exe:8000 Thanks ~~~~~~ Thanks to all who tested Hooker, gave ideas and simply wrote all that they think about us. :) Eprst [email protected], Harmer [email protected], Alex [email protected], Plan [email protected], ����� [email protected], Dima [email protected], Androyd [email protected], Dark Monk [email protected] and to all I forgot... Hooker, the intelligent trojan keylogger ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (history) 1.0 ~~~ Just a experimental program with very weak possibilities (just a simple keylog). Was completely rewritten in the next versions. 2.0 ~~~ Now it sends a keylog. Added ripping of cached passwords (*.pwl). Installs in registry to the user-defined path. It is possible to define max size of a log-file, after which Hooker recreates it. Added keylog of windows with pre-defined words in title. Added self-destructing feature. 2.1 ~~~ Added sending of log after overflow. 2.2 beta 1 ~~~~~~~~~~ Fixed huge bug in keylogging - hook-function must be in DLL! Troyan became much stable. Added feature of http-files download. 2.2 beta 2 ~~~~~~~~~~ Fixed bug in function which adds system dates. 2.3 beta 1..4 ~~~~~~~~~~~~~ Added detection of a RAS-connections. Fixed bug in using of critical sections - sometimes there was conflicts of threads. Now keylogging DLL is packed by LZW. Some minor bugs fixed. 2.3 beta 5 ~~~~~~~~~~ Fixed bug with sending of keylog. If in window press only ".", troyan wasn't able to send mail preperly (Hooker simply flood mailbox with big amount of messages). 2.3 beta 6 ~~~~~~~~~~ Little changes in sendmail-procedure. Fixed unpleasant feature: Hooker didn't start on machine without rasapi32.dll - for example, on WinNT, which is not using Dial-Up Networking. Now, if this dll is not present Hooker simply do not detect RAS-connections. 2.4 ~~~ No more betas! It's a release. Fixed little bug in username and hostname detection. Added a couple of features: full keylog: if not checked, Hooker will log only windows, where was keystrokes. advanced log: if not checked, Hooker will not log extended keys (such as "Shift", "Alt" etc). Also fixed bug in connection by IP. ACrazzi & Shade, 24.7.1999 Server: size: 21 KBMegaSecurity