Back to the Homepage
german version

An easy guide to build yourself a PC
Hardwaretests: Testresults and benchmarks
Viruses: Prophylaxis, identification, removal

All About PC - get in contact
All About PC - Impressum
Links

 Latest Reviews 

Click to read the review!
ABIT VP6
Click to read the review!
ASUS A7V133
Click to read the review!
EPOX 8KTA3+
Click to read the review!
DEEP OCEAN SCREEN SAVER

 Reviews 
 Virus Descriptions 


Danger
Diffusion

The FunLove virus was only seen "in the wild" so far. It infects PE-files

FunLove:

Virus name

W32.FunLove.4099

Aliases

FLCSS, Win32.FLC

Operating system

Windows 9x and Windows NT

Infection:
The Virus was only noticed "in the wild" so far.

Payload:
After the activation of a file, which is infected with the FunLove-virus, the virus searches on all local and network drives for infectable files. It infects only PE-files (Portable Executable), that are files with the extension .EXE, .OCX, .SCR. The infectionroutine is executed in thr background, so that the user cannot recognize any delay.
During this infection he creates a WIN 32 PE-formated file named "FLCSS.EXE" in the %SYSTEM% directory (this is normally the Windows/Winnt-directory). The Virus executes thid file, which starts an application in the background (Windows 95/8) or an service (WinNT). After this all PE-files on the local drives and network drives C: to Z:, on which the user has a write access, are infected. If an error accures on creating the FLCSS.EXE, the infection is run from the infected PE-file.
On the operation system Windows NT the Virus is more dangerous. Is an NT-PC infected, which has administration rights, so the Virus attacks the security system. All users will get full access, i.e. a guest will be able to change or delete files. This can also happen, if an user-PC with administrator rights is infected later.

Mutation of the PE-files:
The Virus writes its code to the end of the infection file and writes the command "Jump Virus" into the starting routine (the first 8 bytes of the file), that garantees the starting of the virus, if the file is executed.
The virus tries to circumvent virusscanners and so infects no files as ALLER*, AMON*, AVP*, AVP3*, AVPM*, F-PR*, NAVW*, SCAN*, SMSS*, DDHE*, DPLA* and MPLA*.

Mutation in Windows NT:
The Change of the access rights is obtained by a little change in the security-API named SeAccessCheck. In this API only 2 bytes are changed with a patch NTOSKML.EXE 

Realisation, that the virus is upon your PC:

  • The file FLCSS.EXE in the %SYSTEM%-directory exists
  • The PE-files are 4099 bytes longer

Remarks:
The FunLove-virus is not resistent, i.e. it is not permanent in memory. Because of the fact, that the virus infects the EXPLORER.EXE too, the virus is activated in every system start. If you execute the FLCSS.EXE in DOS the textstring ~Fun Loving Criminal~ is visible. After this your PC is rebootet and attempts to start windows.

Copyright by All-About-PC. All rights reserved.
All information on this website is protected by international law. Any reproduction or publication without the agreement of the editorial office is prohibited. Please respect the work of others. 
Although all information on this website is hardly recherched and mostly checked and confirmed from secondary side, we do not take the responsibillity for any damage originated from the use of the information on our site.