Topic: W32/FunLove.gen

[Amker]

This virus is a parasitic Win32 PE file virus that infects EXE, SCR and OCX files by appending itself to the last PE section of the file.
Characteristics -


Under Windows9x/ME the file length is increased by 4099 bytes, but under Windows NT/2K/XP the file length increase is a minimum of 4099 bytes and is usually more, up to approximately 7000 bytes has been observed in tests.

When the virus is first run, it drops a file called FLCSS.EXE into the SYSTEM folder, if this file does not already exist. This exe file is then run as a separate process and becomes the resident portion of the virus. The virus then directly infects all EXE, SCR, and OCX files in the folders Program Files and WINDOWS (%WinDir%), including any sub folders. As the default Windows shell Explorer.exe is kept in here, the virus is re-executed whenever the system is restarted.

Under Windows NT/2K/XP, the virus uses a routine  to patch the files NTOSKRNL.EXE and NTLDR if the current user is logged in with administrator rights. This patch, which is activated after the next system restart, allows all users full administrator rights to the system. This allows the virus (and any low-level users) full, unrestricted access to all the files on the system.

Periodically the virus scans any network shares with write access, and infects any EXE, SCR and OCX files on any shared network drives. The "FLC" process runs in the background, first exploring the local drives, then waiting a random amount of time - depending on a random number it either goes back to exploring the local drives, or starts exploring the network, then going back to exploring the local drives after exploring the network.

The virus is not encrypted or polymorphic.

When executed under DOS, the file FLCSS.EXE displays the message "~Fun Loving Criminal~" and then tries to reset the machine in order to load Windows.
Symptoms -



1) Increase in size by 4099 bytes under Windows 9x/ME, and under Windows NT/2K/XP a variable length increase of at least 4099 bytes.
2) Display of the "~Fun Loving Criminal~" Message.

3) The existence of the file FLCSS.EXE in the Windows system folder.

4) Activity on both local hard disks and over the network as the virus looks for new victims to infect.

5) Certified ActiveX controls give a warning that the signature no longer matches the file.
Method of Infection -


Running infected file will directly infect the local system and available network shares.
Because the virus infects ActiveX controls (OCX files) the possibility of infecting systems via a web-browser that supports ActiveX controls also exists.

If the virus infects a server that contains web pages with embedded ActiveX controls, and these controls get infected then any user browsing the web page will be infected after downloading and executing the ActiveX control. If the ActiveX control is unsigned and the browser security settings are set to low then no warning will be given to the user. If however the infected ActiveX control is signed then because of the virus infection, the user will be warned that the signature no longer matches the file, and given the option of not running the ActiveX control.
Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

McAfee