Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
58566 Views 6 Replies Latest reply: Feb 24, 2010 1:26 PM by MediaProduction RSS
Newcomer 1 posts since
Feb 25, 2008
Currently Being Moderated

Feb 25, 2008 10:39 PM

phim nguoi lon.exe or  secret.exe

Just curious if anyone has run into these two files? All I could find one some stuff on google but it was in Vietnamese so I couldn't get much out of it.

I work for a camera shop and I noticed the first file showing up on people's memory cards on one of my computers. Found it kind of odd. I tried it on another computer and the security software that was installed on it said both of these files were trying to write to cards on my card reader even when there were no cards there. This is about all I can figure it does.

Any info would be nice on this and how to make sure it stays off our computers short of doing a complete reghosting of the drive.

Thanks.
Dom
  • paullotion Apprentice 8,078 posts since
    Apr 13, 2006
    Currently Being Moderated
    1. Feb 26, 2008 4:44 AM (in response to Dommer75)
    RE: phim nguoi lon.exe or secret.exe
    Dom

    Send the files to the lab,if.
    http://vil.nai.com/vil/submit-sample.aspx
    Or
    https://www.webimmune.net/default.asp

    You can also upload them to VirusTotal:
    http://www.virustotal.com/

    The Black Bear

    *Important News for BT/TalkTalk customers*

    BT/TalkTalk dump Phorm spyware, for more information see this article Here , also visit the NODPI website for much more information relating to DPI.
  • Newcomer 2 posts since
    Mar 17, 2008
    Currently Being Moderated
    2. Mar 17, 2008 6:54 PM (in response to Dommer75)
    RE: phim nguoi lon.exe or secret.exe
    I work at a camera shop as well. I've seen this virus and it spreads once you stick a memory card into your card reader and vice versa to computer. I believe it was spread via photoframe. It's a backdoor trojan that attaches itself to rundll.32.exe and shell32.dll. I brought it home not knowing it was on my memory card and now my computer has been out of commission for 5 days. I brought my computer to the shop and they couldn't figure it out. I deleted it from my system and it gave me the login logout loop in windows login. It spread to my BIOS and I now need a new motherboard. We actually reformatted our work computer and it showed back up, so it must be BIOS resident. I know how to recover from viruses, but this one is just nasty. It's costing me time and money. Not a good thing.
  • Newcomer 2 posts since
    Mar 17, 2008
    Currently Being Moderated
    3. Mar 17, 2008 7:03 PM (in response to Dommer75)
    RE: phim nguoi lon.exe or secret.exe
    I work at a camera shop as well. I've seen this virus and it spreads once you stick a memory card into your card reader and vice versa to computer. I believe it was spread via photoframe. It's a backdoor trojan that attaches itself to rundll.32.exe and shell32.dll. I brought it home not knowing it was on my memory card and now my computer has been out of commission for 5 days. I brought my computer to the shop and they couldn't figure it out. I deleted it from my system and it gave me the login logout loop in windows login. It spread to my BIOS and I now need a new motherboard. We actually reformatted our work computer and it showed back up, so it must be BIOS resident. I know how to recover from viruses, but this one is just nasty. It's costing me time and money. Not a good thing.
  • paullotion Apprentice 8,078 posts since
    Apr 13, 2006
    Currently Being Moderated
    4. Mar 18, 2008 7:21 AM (in response to afterdarc)
    RE: phim nguoi lon.exe or secret.exe
    According to Sophos: Troj/Delf-LW then proceeds to attempt to delete every file and folder on the entire system, while displaying a progress bar entitled "Updating System Configuration".

    Once Troj/Delf-LW has finished deleting files, it displays a message saying "Yedinmi Yarraaa?".

    http://www.sophos.com/security/analyses/viruses-and-spyware/trojdelflw.html

    Do you still have the files on your PC?

    The Black Bear

    *Important News for BT/TalkTalk customers*

    BT/TalkTalk dump Phorm spyware, for more information see this article Here , also visit the NODPI website for much more information relating to DPI.
  • Newcomer 1 posts since
    May 26, 2008
    Currently Being Moderated
    5. May 26, 2008 1:13 AM (in response to Dommer75)
    RE: phim nguoi lon.exe or secret.exe
    hi all,

    I also have this virus, but my Norton 2003 with updated definitions did not pick it up.

    What is weird is that all my files are still here, nothing has been deleted (or so I don't think so). I have had it for about a week now. My BIOS has a password too.

    Now every USB I put into my computer gets the virus but thankfully it doesn't spread. My laptop which has no internet connection or antivirus has had my USB plugged into it but still all its files are there.

    I want to know how can I delete it from my USB? (I quarantened it with norton and deleted the file but it just comes back). Also I checked my registery but i couldnt find "secret" in there.

    I did some research but not many websites say anything about this virus. Some say it is also known as secret.exe

    I really want stop this from going to all my USB's can you please help me sad
  • Newcomer 1 posts since
    Feb 24, 2010
    Currently Being Moderated
    6. Feb 24, 2010 4:28 PM (in response to Dommer75)
    Re: phim nguoi lon.exe or secret.exe

    I found this thread when I was researching this virus and wanted to add my experience with it. I have a Media class with HDD camcorders and video editing computers. We picked this up from someone's (a high school student) USB stick, IPod or wherever. We were on the internet briefly, but my editing computers don't have virus protection (long story) but I think it came from a stick drive or someone's personal HDD camcorder. We have seen little damage but weird stuff is starting to happen more than a month after the infection. Today a student couldn't find their still pictures in the designated DCIM file. I can clean the camcorders off with my office school computer, but when they go back to the editing computers they reinfect each other. So today I cleaned off the camcorder and was able to retrieve the still pictures onto another drive, but you still can't see the pictures on the camcorder itself. The virus moves/deletes/hides the containing folder but seems to retain the images but doesn't seem to bother the video (maybe that is next). We didn't know if we were even going to bother removing it but now that it has started hiding files we are going to try to kill it. An interesting part of the problem is that it infects media devices but not our big portable hard drives. All of our 500 GB and terabyte drives don't get the virus.

    Another very interesting issue is that you can actually see the virus on the camcorders. It appears either as secret.exe or the other one and with companion files, either autorun.inf or an AV_Info folder.  I truly hate this virus! I will update this post when we get it cleaned to see what it has damaged. So far the computers are fine because they aren't on the internet. I think this virus is just waiting to be spread so without resources it hasn't slowed us down or hurt our video projects.

     

     

    Message was edited by: MediaProduction on 2/24/10 4:28:17 PM CST

More Like This

  • Retrieving data ...

Bookmarked By (0)