FunLove:
Virus name |
W32.FunLove.4099 |
Aliases |
FLCSS,
Win32.FLC |
Operating
system |
Windows
9x and Windows NT |
Infection:
The
Virus was
only noticed "in the wild" so far.
Payload:
After
the activation of a file, which is infected with the FunLove-virus, the
virus searches on all local and network drives for infectable files. It
infects only PE-files (Portable Executable),
that are files with the extension .EXE, .OCX, .SCR. The infectionroutine is
executed in thr background, so that the user cannot recognize any delay.
During this infection he creates a WIN 32 PE-formated file named
"FLCSS.EXE" in the %SYSTEM% directory (this is normally the
Windows/Winnt-directory). The Virus executes thid file, which starts an
application in the background (Windows 95/8) or an service (WinNT). After
this all PE-files on the local drives and network drives C: to Z:, on which
the user has a write access, are infected. If an error accures on creating
the FLCSS.EXE, the infection is run from the infected PE-file.
On the operation system Windows NT the Virus is more dangerous. Is an NT-PC
infected, which has administration rights, so the Virus attacks the
security system. All users will get full access, i.e. a guest will be able
to change or delete files. This can also happen, if an user-PC with
administrator rights is infected later.
Mutation of the PE-files:
The Virus writes its code to the end of the infection file and writes the
command "Jump Virus" into the starting routine (the first 8 bytes
of the file), that garantees the starting of the virus, if the file is
executed.
The virus tries to circumvent virusscanners and so infects no files as
ALLER*, AMON*, AVP*, AVP3*, AVPM*, F-PR*, NAVW*, SCAN*, SMSS*, DDHE*, DPLA*
and MPLA*.
Mutation in Windows NT:
The Change of the access rights is obtained by a little change in the
security-API named SeAccessCheck. In this API only 2 bytes are changed with
a patch NTOSKML.EXE
Realisation,
that the virus is upon your PC:
- The
file FLCSS.EXE in the %SYSTEM%-directory exists
- The
PE-files are 4099 bytes longer
Remarks:
The
FunLove-virus is not resistent,
i.e. it is not permanent in memory. Because of the fact, that the virus
infects the EXPLORER.EXE too, the virus is activated in every system start.
If you execute the FLCSS.EXE in DOS the textstring ~Fun Loving
Criminal~ is visible. After this your PC is rebootet and attempts to
start windows.
Copyright
by All-About-PC. All rights reserved.
All information on this website is protected by international law. Any
reproduction or publication without the agreement of the editorial
office is prohibited. Please respect the work of others.
Although all information on this website is hardly recherched and
mostly checked and confirmed from secondary side, we do not take the
responsibillity for any damage originated from the use of the
information on our site. |