This virus is a parasitic Win32 PE file virus that infects EXE, SCR and OCX files Win9x, WinNT 4.0 by appending itself to the last PE section of the file. The virus also overwrites the first 8 bytes of code at the start of the program with a jump to the virus's code. Cleaning this virus requires using SCAN.EXE with a minimum engine of v4.0.70, in combination with VirusScan or NetShield 4.5 product.
Under Windows9x the file length is increased by 4099 bytes, but under Windows NT the file length increase is a minimum of 4099 bytes and is usually more, up to approximately 7000 bytes has been observed in tests.
When the virus is first run, it drops a file called FLCSS.EXE into the SYSTEM folder, if this file does not already exist. This exe file is then run as a separate process and becomes the resident portion of the virus. The virus then directly infects all EXE, SCR, and OCX files in the folders Program Files and Windows9x/WinNT, including any sub folders. As the default Windows shell Explorer.exe is kept in here, the virus is re-executed whenever the system is restarted.
Under Windows NT, the virus uses a routine borrowed from the W32/Bolzano virus to patch the files NTOSKRNL.EXE and NTLDR if the current user is logged in with administrator rights. This patch, which is activated after the next system restart, allows all users full administrator rights to the system. This allows the virus (and any low-level users) full, unrestricted access to all the files on the system.
Periodically the virus scans any network shares with write access, and infects any EXE, SCR and OCX files on any shared network drives. The "FLC" process runs in the background, first exploring the local drives, then waiting a random amount of time - depending on a random number it either goes back to exploring the local drives, or starts exploring the network, then going back to exploring the local drives after exploring the network.
The virus is not encrypted or polymorphic.
When executed under DOS, the file FLCSS.EXE displays the message "~Fun Loving Criminal~" and then tries to reset the machine in order to load Windows.
--------------------------------------------------------------------------------
Send This Virus Information To A Friend?
--------------------------------------------------------------------------------
Indications Of Infection
1) Increase in size by 4099 bytes under Windows 9x, and under Windows NT a variable length increase of at least 4099 bytes.
2) Message as described above.
3) The existence of the file FLCSS.EXE in the Windows system folder.
4) Activity on both local hard disks and over the network as the virus looks for new victims to infect.
5) Certified ActiveX controls give a warning that the signature no longer matches the file.
Method Of Infection
Running infected file will directly infect the local system and available network shares.
Because the virus infects ActiveX controls (OCX files) the possibility of infecting systems via a web-browser that supports ActiveX controls also exists.
If the virus infects a server that contains web pages with embedded ActiveX controls, and these controls get infected then any user browsing the web page will be infected after downloading and executing the ActiveX control. If the ActiveX control is unsigned and the browser security settings are set to low then no warning will be given to the user. If however the infected ActiveX control is signed then because of the virus infection, the user will be warned that the signature no longer matches the file, and given the option of not running the ActiveX control.
Removal Instructions
Cleaning this virus requires using SCAN.EXE with a minimum engine of v4.0.70, in combination with VirusScan or NetShield 4.5 product. BOOTSCAN.EXE can remove this virus also, however the latest version available is 4.0.35.
Removal of the FUNLOVE Virus Worm in an Enterprise Environment (.RTF).
For Bootscan,
Using a clean system, extract this update and copy over existing emergency boot disk files.
This virus can be cleaned off any hard drives using an emergency disk made from a known clean system.
The cleaned system must remain disconnected from any network until all the remaining systems have been scanned and cleaned. You will need to boot from a clean floppy with the emergency repair product on each system, including Microsoft servers.
The virus in any infected system will infect other systems on the same network that "share" disk space. It additionally is memory resident and will re-infect all systems that share disk space with it as fast as you clean them if connected to the network during or after cleaning.
Cleaning Windows 9x, WinNT FAT systems:
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use an emergency boot diskette and use the command line scanner such as "SCAN.EXE C: /CLEAN /ALL"
Cleaning Windows NT NTFS systems
Virus Information
Discovery Date: 11/9/99
Origin: Newsgroup Posting
Length: 4,099
Type: Virus
SubType: Win32
Risk Assessment: Medium
Variants
Name Type Sub Type Differences
W32/FunLove.app Virus Win32 Added to 4112 DATS and improved in 4115 DATS. Detection is for samples which contain the body of the FunLove virus but is inactive and therefore the virus cannot replicate. The body of the virus is found at the end of a PE file (windows EXE file). It can be removed.
Aliases
FLCSS.EXE, Funlove, PE_FUNLOVE.4099 (Trend), W32.FunLove.4099 (NAV), W32.Funlove.int (NAV), W32/Flcss (Sophos), W32/Funlove.4099.dr (VirusScan), W32/FunLove.gen (VirusScan), W95/FunLove.4099 (F-Prot), Win32.FLC, Win32.FunLove.4070 (AVP)