Name:W95/FunLove.4099
Aliases:W32/FunLove, Win32_FLC, FLCSS
Type: Memory resident Win32 virus

Description:

W95/FunLove.4099 is a Win32 virus that infects Windows 32 portable executable (PE) files (including .EXE, OCX and .SCR file types) on Windows 9x and Windows NT 4.0 machines. The virus infects local and network drives. It has been found in-the-wild. It does not have a destructive payload.

When executed, W95/FunLove.4099 creates a dropper file named FLCSS.EXE in the Windows system directory. This dropper file is executed, infecting files in the Windows and Program folders. The virus is executed as a Windows application on Windows 9x and as a service on Windows NT. The virus creates a thread inside the infected program that infects portable executable files with the extensions .EXE, .OCX and .SCR on local and network drives.

The virus will attempt to gain administrative rights on Windows NT. When someone with administrator rights logs on, the virus modifies the NT kernel to allow "guest" administrative rights to all files, including the ability to read and modify files. This allows access to normally restricted files.

The virus patches NTLDR and WINNT\System32\ntoskrnl.exe files. These files should be restored from backup. They cannot be recovered.

When an infected file is executed in DOS mode, the virus will restart the system and display the following text:

• "~Fun Loving Criminal~"

Files names beginning with the following letters are excluded from infection:

ALER, AMON, AVP, AVP3, AVPM, F-PR, NAVW, SCAN, SMSS, DDHE, DPLA, MPLA

Detection

Command AntiVirus version 4.54 and higher will detect W95/FunLove.4099 with virus definition files (Deffiles) posted 11/15/99.