Aliases: Win32.FunLove.4070, W32/FunLove.gen, PE_FUNLOVE.4099, W32/Flcss, Win32.Funlove.4099
Variants: Winervar

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 08 Nov 1999
Damage: Medium

Characteristics: Another self replicating virus, W32.FunLove.4099 duplicates itself mostly under Windows 95, Windows 98, Windows ME, and Windows NT platforms. However, all platforms of Windows are vulnerable to this worm, may it be Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT and Windows XP. It also contaminates programs and/or files with .exe, .scr, and .ocx extensions. It attacks Windows NT file security system while running as a service on Windows NT systems.

More details about W32.Funlove.4099

During its first attack, the virus requires administrative rights in the compromised computer’s Windows NT Server or Windows NT Workstation. The virus is not that hard to detect nor is it hard to remove. Most antivirus can track and detect its infection. Some reports even say that if the updated virus program was earlier than October 10, 2000, it will prevent files from being re-infected. The virus has a lot of limitations for its infection. W32.Funlove.4099 will not be able to infect files on an Alpha computer. The only file it can infect are those files accessible by a Wintel computer. Alpha platform infected files can be cleaned through isolation and immersing computers from the network.

The worm infects every network drive that it finds through the call to WNetEnumResourceA. As long as the drive is writeable, FunLove will modify Ntoskrnl.exe over the network, even without dropping Flcss.exe onto the system. FunLove does not actually infect Ntoskrnl.exe, but it changes the file's security function. Once the affected computer is restarted, the modified Ntoskrnl.exe and Ntldr are loaded, and security is compromised. The virus also monitors and check files if it is already infected or not. There are several symptoms that may constitute infection of this virus. Once executed in the compromised computer, the virus inserts an “Flcss.exe” file in windows system directory. It contaminates network drives and local network of the compromised computer even if no one is logged on. Portable executable files with exe, .scr, or .ocx extensions are also vulnerable to this virus. The virus also posts a potential problem, because the virus can spread everywhere, regardless of the actual access restrictions on the particular computer. Furthermore, after the attack, no data can be considered protected from modification by any user. On the other hand, the virus does not infect files that begin with the following characters in their names: aler, amon, avp, avp3, avpm, f-pr, navw, scan, smss, ddhe, dpla and mpla.