The Web    Google
1/3: Hilin Worm Written in Visual Basic

1/3: Hilin Worm Written in Visual Basic
January 3, 2005

W32/Hilin.worm is written in Visual Basic. It copies itself to mapped network drives and contains keylogging properties as well.

The worm uses Microsoft Word icon to fool users into opening it.

It then searches for Microsoft Word documents in the local harddisk and mapped network drives. These Word documents are deleted and replaced with a copy of the worm itself. It adopts the same filename as the original document and changes the extension to *.exe.

The worm copies itself to

%SYSDIR%\order.exe (where %SYSDIR% is C:\windows\system32 or C:\winnt\system32)

It hooks the following registry key to run itself at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Policies\EXPLORER\RUN "OFFICE" = %SYSDIR%\order.exe

More information can be found at McAfee page.

  • 6/4: Agobot.300544 a Memory Resident
  • Web Services Security in .NET
  • 7/28: Downloader-NE.dr a New Trojan
  • 8/3: MyDoom-Q Arrives in the Wild
  • 1/3: Hilin Worm Written in Visual Basic
  • 5/19: Webloin Trojan Downloads DLL File
  • 7/9: HacDef-F a New Backdoor Trojan
  • Wi-Fi Security Review: AirMagnet
  • Protect Your Passwords -- Part 1
  • 2/21: Derdero-B Worm Uses File Sharing
  • Gilian Set to Unveil Enhanced Web Security Appliance
  • Security Camera Articles