My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Funlove

HIGH
HIGH
4099 bytes
(Win32_FLC, Win32.FLC, FLCSS)

Symptoms

  • the presenece of the flcss.exe file in the Windows\\System folder on Windows 9x/Me or Winnt\System32 on Windows NT/2K
  • Removal instructions:

    BitDefender can disinfect or delete automatically the files infected by this particular virus. The modified registry entries should be corrected manually.

    1. If you don't have BitDefender installed click here to download an evaluation version;

    2. Make sure that you have the latest updates using BitDefender Live!;

    3. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.FunLove.
    To prevent the virus from replicating itself from infected machines to clean machines, you should try to disinfect all computers in the network before rebooting any of them, or unplug the network cables.

    If you are running Windows 95/98/Me you will have to apply the following patch provided by Microsoft to stop the virus from using the Share Level Password vulnerability.

    Analyzed By

    Victor Sorin Dudea BitDefender Virus Researcher

    Technical Description:

    Win32.Funlove.4099 is a Win32 virus that infects Windows 32 portable executable (PE) files, including .exe, .ocx and .scr file types, on Windows 9x and Windows NT 4.0, and Windows 2000 machines.

    When an infected file is run, the virus creates the flcss.exe file in the Windows system folder (\Windows\System for Windows 95/98/Me or \Winnt\System32 for Windows NT). This file is then executed, infecting files from the Windows and Program folders. The virus creates a thread inside the infected program that infects portable executable files with the extensions .exe, .ocx and .scr on local and network drives.

    While infecting a file the virus writes its code to the end of the file - to the last file section and patches file's startup routine with a 8 byte long code that passes control to virus body. Being activated the virus restores these 8 bytes first and then starts its main code.

    Files names beginning with the following letters are excluded and will not be infected:

    ALER
    AMON
    AVP
    AVP3
    AVPM
    F-PR
    NAVW
    SCAN
    SMSS
    DDHE
    DPLA
    MPLA

    The virus will attempt to gain administrative rights on Windows NT. When someone with administrator rights logs on, the virus modifies the NT kernel (NTLDR and C:\WinNT\System32\ntoskrnl.exe files) to allow Guest administrative rights to all files, including the ability to read and modify files. This allows access to normally restricted files when a user with restricted rights login.