Full Version of this article can be found here

WinHook32.exe

WinHook32.exe

What is it?
WinHook32.exe is a file associated with the W32.mydoom.ac@mm worm

What does it do?
W32.Mydoom.AC@mm is a mass-mailing worm that launches a Denial of Service (DoS) attack against a remote server. It can also spread through file-sharing networks.
Copies itself as WinHook32.exe in the system folder
  1. Adds the value:

    "SystemWideHook for Windows NT" = "%WinHook32.exe"

    to the registry key:

    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    RunServices
  2. Adds the value:

    "Run" = "WinHook32.exe"

    to the registry key:

    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    policiesExplorer
  3. Creates a mutex named "focDSJSODidvjfdsivraSDOSDoisdi", so that only one copy of the worm runs at once on the compromised system.
Searches for the Kazaa, Morpheus, and iMesh-shared folders by querying the registry. It also searches for the following folders:
    • C:Program FileseDonkey2000Incoming
    • C:Program FilesLimeWireShared
  1. Copies itself to the file share folders found, using the following file names:
    • MSNCracker2005.exe
    • GameCrack2005.exe
    • Windows_Activation.exe
    • XP_Crack.exe
    • Office2005.exe
    • Install.exe
    • Setup.exe
Removal

@symantec