Author Topic: "phim nguoi lon.exe" not detected by Avast Home.  (Read 23554 times)

0 Members and 1 Guest are viewing this topic.

beelz

  • Guest
"phim nguoi lon.exe" not detected by Avast Home.
« on: April 24, 2008, 05:08:01 PM »
I keep getting this virus from cybercafes in Vietnam. It puts two files on my flash drive, "phim nguoi lon.exe" and "secret.exe." Secret.exe is a hidden file that doesn't even show up when you tell Windows to show hidden files. It only shows up in a Winfile search.

I do wish that Avast would detect this critter, as it is said to be very dangerous:

http://forums.mcafeehelp.com/showthread.php?t=219224

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: "phim nguoi lon.exe" not detected by Avast Home.
« Reply #1 on: April 24, 2008, 05:21:40 PM »
Can you send the samples to virus@avast.com ?
You can zip and password the files... Inform a link to this thread and the password used.
You can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks.
The best things in life are free.

beelz

  • Guest
Re: "phim nguoi lon.exe" not detected by Avast Home.
« Reply #2 on: April 24, 2008, 05:42:37 PM »
Okay, next time I encounter the files, I will do this.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: "phim nguoi lon.exe" not detected by Avast Home.
« Reply #3 on: April 24, 2008, 11:52:20 PM »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

beelz

  • Guest
Re: "phim nguoi lon.exe" not detected by Avast Home.
« Reply #4 on: April 25, 2008, 05:54:41 PM »
Thanks Polonus, this seems like a truly monstrous virus. I wish Avast would add protection against it. I haven't encountered it in the last few days, so can't send it. Does Avast really need me to email the virus to them in order to protect against it? Surely they can get a copy of it from the Virus Community???

beelz

  • Guest
Re: "phim nguoi lon.exe" not detected by Avast Home.
« Reply #5 on: April 27, 2008, 04:25:08 PM »
I stand corrected. Yesterday, Avast did detect a new invasion of Phim Nguoi Lon.exe and secret.exe. Maybe because I updated the database. "Malware was found", the program said. However, Avast identified both of the viruses as Win32-rootkit-gen[rtk]. When I search this, I don't find any indication that Win32-rootkit-gen[rtk] is the same virus as phim...and secret.

Also, I found this forum post that seems to suggest it's a false positive:

misak
ALWIL team
Jr. Member
 Offline
Gender:
Posts: 34
          Re: Help please with Win:32Rootkit-gen [Rtk]
« Reply #12 on: April 14, 2008, 08:07:29 AM »   

False positive alert Win32:Rootkit-gen [Rtk] will be fixed in next VPS update.

from http://forum.avast.com/index.php?topic=34668.0

But it's not a false positive! If it's the same virus as Phim and Secret, it's a dangerous virus, according to other info on the web.
« Last Edit: April 27, 2008, 04:33:12 PM by beelz »

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: "phim nguoi lon.exe" not detected by Avast Home.
« Reply #6 on: April 27, 2008, 05:59:09 PM »
It may just be that it falls into that group for detection. The file you refer to in the link is not the same file you are concerned about.

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: "phim nguoi lon.exe" not detected by Avast Home.
« Reply #7 on: April 27, 2008, 09:45:28 PM »
Rootkit-gen stands for more than one detection... your files are detected correctly ;)

beelz

  • Guest
Re: "phim nguoi lon.exe" not detected by Avast Home.
« Reply #8 on: April 29, 2008, 05:28:04 PM »
Sorry to report that, strangely, both "phim" and "secret" got onto my flash drive again, and this time Avast did NOT detect it. Go figure!

What do you do when you know you have a virus and the program will not detect it? Can you just delete it or is there a way to get it into the virus vault? I have been deleting them from my flash drive but sometimes they get onto my computer hard drive and I wonder if deleting it is not enough. But with a file like "secret.exe" which is invisible in Explorer and Explorer2, and even in Winfile, and only turns up when you use the "search" function in Winfile (search in Explorer and Explorer2 fail to find secret.exe even though it's there and "search hidden files" is selected), how would I get it into the vault from a "search results" screen in Winfile?

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: "phim nguoi lon.exe" not detected by Avast Home.
« Reply #9 on: April 29, 2008, 07:25:32 PM »
it's probably a new variant.. can you send the files to virus[at]avast[dot]com?

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: "phim nguoi lon.exe" not detected by Avast Home.
« Reply #10 on: April 29, 2008, 11:19:15 PM »
Hi beelz,

Below some information on this malware and removal instructions:

Summary

    * Summary
    * Action
    * More Information
    * 

 
Affected operating systems    Windows
Characteristics    

    * Installs itself in the registry

Included in our products from    October 2005 (3.98)
Protection available since    31 August 2005 00:37:28 (GMT)
Detected by    All Sophos products
Action

    * Summary
    * Action
    * More Information
    * 

Please follow the instructions for removing Trojans.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Secret
\"<System>\Secret.exe\" FormaT

and delete it if it exists.

Close the registry editor.
More Information

    * Summary
    * Action
    * More Information
    * 

Troj/Delf-LW is a Trojan for the Windows platform.

When first run Troj/Delf-LW copies itself to <System>\Secret.exe.

The following registry entry is created to run Secret.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Secret
\"<System>\Secret.exe\" FormaT

When the computer is next rebooted and Troj/Delf-LW is launched on startup, it first disables the Task Manager, and tries to prevent a log-off or shutdown from occuring.

Troj/Delf-LW then proceeds to attempt to delete every file and folder on the entire system, while displaying a progress bar entitled "Updating System Configuration".

Once Troj/Delf-LW has finished deleting files, it displays a message saying "Yedinmi Yarraaa?".

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!