[All About PC] Virus FunLove

Latest Reviews

ABIT VP6

ASUS A7V133

EPOX 8KTA3+

DEEP OCEAN SCREEN SAVER

Reviews

Mainboards:
	EPOX 8KTA3+
	ASUS A7V133
	ABIT VP6
	PC133 ON BX-BOARDS
Graphics Cards:
	ABIT SILURO T400
CD-ROM:
	ASUS CD-S500/A
	TEAC CD-540E
	MITSUMI FX 4820
CD-Writers:
	PLEXWRITER 12/10/32A
	MITSUMI CR-4805TE
	MITSUMI CR-4804TE
	LG CED-8042B
Software:
	DEEP OCEAN SCREEN SAVER

Virus Descriptions

	LOVELETTER
	PLAGE2000
	W32/MELTING
	W32/MYPICS
	W32/NEWAPT
	W32/PRETTY
	BABYLONIA
	SANTANA
	W97M/LENNI
	W97M/MELISSAT
	W97M/MICHAEL-B
	W97M/PRILISSA
	FUNLOVE
	WIN95.SMASH

Danger
Diffusion

The FunLove virus was only seen "in the wild" so far. It infects PE-files

FunLove:

Virus name	W32.FunLove.4099
Aliases	FLCSS, Win32.FLC
Operating system	Windows 9x and Windows NT

Infection:
The Virus was only noticed "in the wild" so far.

Payload:
After the activation of a file, which is infected with the FunLove-virus, the virus searches on all local and network drives for infectable files. It infects only PE-files (Portable Executable), that are files with the extension .EXE, .OCX, .SCR. The infectionroutine is executed in thr background, so that the user cannot recognize any delay.
During this infection he creates a WIN 32 PE-formated file named "FLCSS.EXE" in the %SYSTEM% directory (this is normally the Windows/Winnt-directory). The Virus executes thid file, which starts an application in the background (Windows 95/8) or an service (WinNT). After this all PE-files on the local drives and network drives C: to Z:, on which the user has a write access, are infected. If an error accures on creating the FLCSS.EXE, the infection is run from the infected PE-file.
On the operation system Windows NT the Virus is more dangerous. Is an NT-PC infected, which has administration rights, so the Virus attacks the security system. All users will get full access, i.e. a guest will be able to change or delete files. This can also happen, if an user-PC with administrator rights is infected later.

Mutation of the PE-files:
The Virus writes its code to the end of the infection file and writes the command "Jump Virus" into the starting routine (the first 8 bytes of the file), that garantees the starting of the virus, if the file is executed.
The virus tries to circumvent virusscanners and so infects no files as ALLER*, AMON*, AVP*, AVP3*, AVPM*, F-PR*, NAVW*, SCAN*, SMSS*, DDHE*, DPLA* and MPLA*.

Mutation in Windows NT:
The Change of the access rights is obtained by a little change in the security-API named SeAccessCheck. In this API only 2 bytes are changed with a patch NTOSKML.EXE

Realisation, that the virus is upon your PC:

The file FLCSS.EXE in the %SYSTEM%-directory exists
The PE-files are 4099 bytes longer

Remarks:
The FunLove-virus is not resistent, i.e. it is not permanent in memory. Because of the fact, that the virus infects the EXPLORER.EXE too, the virus is activated in every system start. If you execute the FLCSS.EXE in DOS the textstring ^{~Fun Loving
Criminal}~ is visible. After this your PC is rebootet and attempts to start windows.

Copyright by All-About-PC. All rights reserved.
All information on this website is protected by international law. Any reproduction or publication without the agreement of the editorial office is prohibited. Please respect the work of others.
Although all information on this website is hardly recherched and mostly checked and confirmed from secondary side, we do not take the responsibillity for any damage originated from the use of the information on our site.