A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | Encyclopedia Home
Also see: Hoax Encyclopedia | Repair Center | News Briefs | Glossary | Infected Attachments | Prevention Center
|
FunLove
Type: memory resident virus
According to F-Secure, FunLove has the following characteristics:
Description:
The virus infects PE EXE (Windows portable executables) on local and network drives. The virus itself is in a format of a PE executable file with a single file section '.code'.
When an infected file is run, the virus creates FLCSS.EXE file in the Windows system directory, writes its pure code there and then runs the generated file. This file becomes virus dropper - it is started by the virus as a hidden Windows application (under Win9x) or as a service (under WinNT).
In case an error occurrs while creating the FLCSS.EXE dropper file the virus runs its infection routine from its instance in the infected host file. The infection routine is run in the background as a separate thread and as a result the host program is executed with no visible delays.
The infection routine scans all local drives from C: to Z:, then looks for network resources, scans subdirectory trees there and infects PE files that have .OCX, .SCR or .EXE extensions. While infecting a file the virus writes its code to the end of the file - to the last file section and patches file's startup routine with a 8 byte long code that passes control to virus body. Being activated the virus restores these 8 bytes first and then starts its main code.
The virus is only able to infect PE files on network resources that the current infected workstation user has write access to. This limits spreading of a virus considerably.
Upon infection the virus checks file names and does not infect files that have one of the following 4 letters in the beginning of their names:
ALER AMON _AVP AVP3 AVPM F-PR NAVW SCAN SMSS DDHE DPLA MPLA
The virus also patches the NTLDR and WINNT\System32\ntoskrnl.exe files the similar way Bolzano virus does. The patched files are not recoverable and should be restored from backup.
What to look for: Search the Windows\System directory for the file, FLCSS.EXE
Aliases:
Win32_FLC, Win32.FLC, FLCSS
Systems Affected: Win32 operating systems
Payload: No
ITW: Yes
Origin:
How to prevent it: Do not open attachments received unexpectedly, even from known sources. Keep your antivirus software up-to-date, save and scan any new files or attachments before opening.
