Virus Profile: W32/FunLove.4099

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Medium | Corporate Medium
Date Discovered: 11/9/1999
Date Added: 11/9/1999
Origin: Newsgroup Posting
Length: 4,099
Type: Virus
Subtype: Win32
DAT Required: 4052
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

1) Increase in size by 4099 bytes under Windows 9x/ME, and under Windows NT/2K/XP a variable length increase of at least 4099 bytes.

2) Display of the "~Fun Loving Criminal~" Message.

3) The existence of the file FLCSS.EXE in the Windows system folder.

4) Activity on both local hard disks and over the network as the virus looks for new victims to infect.

5) Certified ActiveX controls give a warning that the signature no longer matches the file.

Methods of Infection

Running infected file will directly infect the local system and available network shares.

Because the virus infects ActiveX controls (OCX files) the possibility of infecting systems via a web-browser that supports ActiveX controls also exists.

If the virus infects a server that contains web pages with embedded ActiveX controls, and these controls get infected then any user browsing the web page will be infected after downloading and executing the ActiveX control. If the ActiveX control is unsigned and the browser security settings are set to low then no warning will be given to the user. If however the infected ActiveX control is signed then because of the virus infection, the user will be warned that the signature no longer matches the file, and given the option of not running the ActiveX control.

Aliases

FLCSS.EXE, Funlove, PE_FUNLOVE.4099 (Trend), W32.FunLove.4099 (NAV), W32.Funlove.int (NAV), W32/Flcss (Sophos), W32/Funlove.4099.dr (VirusScan), W32/FunLove.dr, W32/FunLove.gen (VirusScan), W95/FunLove.4099 (F-Prot), Win32.FLC, Win32.FunLove.4070 (AVP)
   

Virus Characteristics

Update February 28, 2001:
Please review the corporate environment removal instructions .RTF file, updated Feb 28, 2001.

Update September 30, 2000:
Please note updated instructions in the removal section for Corporate environments which give a detailed step-by-step process that when followed will be successful in the innoculation and removal of this virus from your environment.

This virus is a parasitic Win32 PE file virus that infects EXE, SCR and OCX files by appending itself to the last PE section of the file. The virus also overwrites the first 8 bytes of code at the start of the program with a jump to the virus's code. Cleaning this virus requires using SCAN.EXE with a minimum engine of v4.0.70, in combination with VirusScan or NetShield 4.5 product.

Under Windows9x/ME the file length is increased by 4099 bytes, but under Windows NT/2K/XP the file length increase is a minimum of 4099 bytes and is usually more, up to approximately 7000 bytes has been observed in tests.

When the virus is first run, it drops a file called FLCSS.EXE into the SYSTEM folder, if this file does not already exist. This exe file is then run as a separate process and becomes the resident portion of the virus. The virus then directly infects all EXE, SCR, and OCX files in the folders Program Files and WINDOWS (%WinDir%), including any sub folders. As the default Windows shell Explorer.exe is kept in here, the virus is re-executed whenever the system is restarted.

Under Windows NT/2K/XP, the virus uses a routine borrowed from the W32/Bolzano virus to patch the files NTOSKRNL.EXE and NTLDR if the current user is logged in with administrator rights. This patch, which is activated after the next system restart, allows all users full administrator rights to the system. This allows the virus (and any low-level users) full, unrestricted access to all the files on the system.

Periodically the virus scans any network shares with write access, and infects any EXE, SCR and OCX files on any shared network drives. The "FLC" process runs in the background, first exploring the local drives, then waiting a random amount of time - depending on a random number it either goes back to exploring the local drives, or starts exploring the network, then going back to exploring the local drives after exploring the network.

The virus is not encrypted or polymorphic.

When executed under DOS, the file FLCSS.EXE displays the message "~Fun Loving Criminal~" and then tries to reset the machine in order to load Windows.

Variants

Variants information
Virus Name Type Subtype Differences
W32/FunLove.app Virus Win32 Added to 4112 DATS and improved in 4115 DATS. Detection is for samples which contain the body of the FunLove virus but is inactive and therefore the virus cannot replicate. The body of the virus is found at the end of a PE file (windows EXE file). It can be removed.
   
Cleaning this virus requires using SCAN.EXE with a minimum engine of v4.0.70, in combination with VirusScan or NetShield 4.5 product.

Command Line Stand Alone W32/FunLove.4099 Virus Remover

On WinNT, the NTOSKRNL.EXE and NTLDR files should be restored from backup to remove the potential security hole created by FunLove.

Removal of the FUNLOVE Virus Worm in an Enterprise Environment (.RTF).

For Bootscan,
Using a clean system, extract this update and copy over existing emergency boot disk files.

This virus can be cleaned off any hard drives using an emergency disk made from a known clean system.

The cleaned system must remain disconnected from any network until all the remaining systems have been scanned and cleaned. You will need to boot from a clean floppy with the emergency repair product on each system, including Microsoft servers.

The virus in any infected system will infect other systems on the same network that "share" disk space. It additionally is memory resident and will re-infect all systems that share disk space with it as fast as you clean them if connected to the network during or after cleaning.

Cleaning Windows 9x/ME, WinNT/2K/XP FAT systems:
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use an emergency boot diskette and use the command line scanner such as "SCAN.EXE C: /CLEAN /ALL"

Cleaning Windows NT/2K/XP NTFS systems