I keep getting this virus from cybercafes in Vietnam. It puts two files on my flash drive, “phim nguoi lon.exe” and “secret.exe.” Secret.exe is a hidden file that doesn’t even show up when you tell Windows to show hidden files. It only shows up in a Winfile search.
I do wish that Avast would detect this critter, as it is said to be very dangerous:
Can you send the samples to virus@avast.com ?
You can zip and password the files… Inform a link to this thread and the password used.
You can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks.
Okay, next time I encounter the files, I will do this.
Hi beelz,
Consider this info:
http://www.bleepingcomputer.com/startups/Secret.exe-12136.html
polonus
Thanks Polonus, this seems like a truly monstrous virus. I wish Avast would add protection against it. I haven’t encountered it in the last few days, so can’t send it. Does Avast really need me to email the virus to them in order to protect against it? Surely they can get a copy of it from the Virus Community???
I stand corrected. Yesterday, Avast did detect a new invasion of Phim Nguoi Lon.exe and secret.exe. Maybe because I updated the database. “Malware was found”, the program said. However, Avast identified both of the viruses as Win32-rootkit-gen[rtk]. When I search this, I don’t find any indication that Win32-rootkit-gen[rtk] is the same virus as phim…and secret.
Also, I found this forum post that seems to suggest it’s a false positive:
misak
ALWIL team
Jr. Member
Offline
Gender:
Posts: 34
Re: Help please with Win:32Rootkit-gen [Rtk]
« Reply #12 on: April 14, 2008, 08:07:29 AM »
False positive alert Win32:Rootkit-gen [Rtk] will be fixed in next VPS update.
from http://forum.avast.com/index.php?topic=34668.0
But it’s not a false positive! If it’s the same virus as Phim and Secret, it’s a dangerous virus, according to other info on the web.
It may just be that it falls into that group for detection. The file you refer to in the link is not the same file you are concerned about.
Rootkit-gen stands for more than one detection… your files are detected correctly 
Sorry to report that, strangely, both “phim” and “secret” got onto my flash drive again, and this time Avast did NOT detect it. Go figure!
What do you do when you know you have a virus and the program will not detect it? Can you just delete it or is there a way to get it into the virus vault? I have been deleting them from my flash drive but sometimes they get onto my computer hard drive and I wonder if deleting it is not enough. But with a file like “secret.exe” which is invisible in Explorer and Explorer2, and even in Winfile, and only turns up when you use the “search” function in Winfile (search in Explorer and Explorer2 fail to find secret.exe even though it’s there and “search hidden files” is selected), how would I get it into the vault from a “search results” screen in Winfile?
it’s probably a new variant… can you send the files to virus[at]avast[dot]com?
Hi beelz,
Below some information on this malware and removal instructions:
Summary
* Summary
* Action
* More Information
*
Affected operating systems Windows
Characteristics
* Installs itself in the registry
Included in our products from October 2005 (3.98)
Protection available since 31 August 2005 00:37:28 (GMT)
Detected by All Sophos products
Action
* Summary
* Action
* More Information
*
Please follow the instructions for removing Trojans.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type ‘Regedit’ and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the ‘Registry’ menu, click ‘Export Registry File’. In the ‘Export range’ panel, click ‘All’, then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Secret
"\Secret.exe" FormaT
and delete it if it exists.
Close the registry editor.
More Information
* Summary
* Action
* More Information
*
Troj/Delf-LW is a Trojan for the Windows platform.
When first run Troj/Delf-LW copies itself to \Secret.exe.
The following registry entry is created to run Secret.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Secret
"\Secret.exe" FormaT
When the computer is next rebooted and Troj/Delf-LW is launched on startup, it first disables the Task Manager, and tries to prevent a log-off or shutdown from occuring.
Troj/Delf-LW then proceeds to attempt to delete every file and folder on the entire system, while displaying a progress bar entitled “Updating System Configuration”.
Once Troj/Delf-LW has finished deleting files, it displays a message saying “Yedinmi Yarraaa?”.
polonus