The Web    Google
1/3: Hilin Worm Written in Visual Basic

1/3: Hilin Worm Written in Visual Basic
January 3, 2005

W32/Hilin.worm is written in Visual Basic. It copies itself to mapped network drives and contains keylogging properties as well.

The worm uses Microsoft Word icon to fool users into opening it.

It then searches for Microsoft Word documents in the local harddisk and mapped network drives. These Word documents are deleted and replaced with a copy of the worm itself. It adopts the same filename as the original document and changes the extension to *.exe.

The worm copies itself to

%SYSDIR%\order.exe (where %SYSDIR% is C:\windows\system32 or C:\winnt\system32)

It hooks the following registry key to run itself at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Policies\EXPLORER\RUN "OFFICE" = %SYSDIR%\order.exe

More information can be found at McAfee page.

  • Mass-Mailing Worm Copies Itself to Windows Folder
  • 4/5: Bdoor-ZAT Trojan Opens Backdoor
  • 'Critical' Security Hole in Real's Helix Server
  • 802.11 Has DoS Vulnerability
  • IRS Giving Goods Away
  • Visa is monitoring merchants for security compliance
  • 3/8: SymbOS/Commwarrior-A Hits Nokia
  • Feds Bag Warez Convictions
  • Linux Heavies Issue Patches
  • 5/10: Mydoom-BQ a Mass-Mailing Worm
  • Microsoft to Strike IE URL Passwords
  • Security Camera Articles