Funlove???

Hi!

Does anyone know about the virus named "Funlove" which seems to cause anything but fun or love ? I heard about that virus a couple of minutes ago and I didn't know about it ! Thank you! Uguel707

http://groups.msn.com/_Secure/0RQDjAm4UR7!ZUKgQm0ACIrJ8YwY!uUSCCjFB*NPQ8NJoKNPOGUIhBIlRB!pTmNge7blWhj9dw24NRnk7eI7ZfJ5FYzos4P5kyu0HkV6TtUs/ski-050.gif?dc=4675402435064320679

 

Funlove is an oldie, dating from three years ago or so, but this article will probably help:

http://www.pcworld.com/news/article/0,aid,106635,00.asp


- Fixed link - LowWaterMark

 

There is a recent version floating around these days.

Aliases: Win32/Winevar.A, I-Worm.Winevar, W32/Korvar, W32/Winevar@mm, W32.HLLW.Winevar


WORM_BRAID.A
Discovered: Nov. 4, 2002

Detection available: Nov. 4, 2002

Date of origin: Nov. 4, 2002
Details:



Installation of PE_FUNLOVE.4099


http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BRAID.A&VSect=T







Payload Trigger: Infectious File is executed and flcss.exe is dropped and run as a regular process in C:\Windows\System.
Payload:
Modifies files: Win32 files with .exe, .scr, or .ocx extensions.
Degrades performance: Corrupts Windows Applications.
Causes system instability: Causes degradation in system performance and sometimes crash.
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=PE_FUNLOVE.4099&VSect=T



PE_FUNLOVE.4099


Note:
This virus searches for network shares. When it attempts to infect a printer share, a Network Downlevel Document error appears in the printer queue. This is an observable adverse effect and occurs as a result of the attempt of the virus to infect the Windows NT boot file NTLDR that it assumes can be found in all network shares. This error may produce erroneous printing of garbage data. Print queues may also be disrupted as a result of the traffic caused by infected network clients attempting to infect the printer shares.



Upon execution, the virus drops the file FLCSS.EXE in the Windows System Folder. It then infects all EXE, SCR, and OCX files in the Program Files folder, including sub folders.

While EXPLORER.EXE is in memory, the virus re-executes at every system startup. In addition, because EXPLORER.EXE and other system files execute when Windows is loaded, the virus cannot be cleaned in Windows.

The virus attaches the FLCSS.EXE file at the end of the last section of infected files. For it to execute and jump directly to the entry point of the FLCSS.EXE attachment, it modifies the entry point of the host file. Infected files increase by 4,099 Bytes.





Description:
Note: Several Microsoft Hotfixes downloaded between April 6-20 from Microsoft's Premium Support and Gold Certifies Web sites were infected with PE_FUNLOVE.4099 a.k.a. the Fun Love virus. As of now there are no reports that other Microsoft Hotfix Web sites are infected. However, Trend Micro advises all customers to download the latest pattern file to ensure protection against this file infector virus.

This virus infects all Win32 type Portable Executable (PE) files such as .EXE, .SCR, and .OCX in both Windows 9x and Windows NT 4.0. platforms. It searches for all Shared Network Folders with write access and then infects the files within them. To infect NT system files, the virus patches the integrity checking.




Solution:


On a clean machine, download a copy of our tool Fix_Flc.com to a clean diskette, and write-protect it.
Trend requests all users read the "Instructions" text file before using this tool.
Run the tool on the infected machine, from the diskette.
Reboot the machine.
Close all Explorer windows, then go to the MS-DOS prompt (Start|Programs|MS-DOS Prompt).
Insert the 2nd disk of the Emergency Rescue Disks(ERD), and then type this command:
A:\Pcscan /v /c /A /NOBKUP.
Then follow the instructions.
Note: This will scan and clean all infected files, including files with extensions .OCX and .SCR.

_______________________________________________
DOS FunLove.4099 Fix Tool
http://www.symantec.com/avcenter/venc/data/dos.funlove.4099.fix.tool.html

 

Hi!

Sounds like a stubburn oldie recurring! Thank you 4 your answers. The one who told about that virus had it quarantined by NAV and meanwhile was awaiting for advice.
Thanks ! Uguel707

http://groups.msn.com/_Secure/0RADXAjsUw7AFM7kI7rr4QXlDZ3rxbGDJjKtIHqr462V9cRPH!hTp3OJJgUVse5vTOMthwPIeaPZbDK3odemxtNjxOPEhh7z8xE!43Usy6Vo/ski-02.gif?dc=4675397854247485384

 

Say!

I've found another site that gives a free antidote which seems easier to proceed with than the one Symantec proposes.
N.B : I don't know much about this site but it seems good to know! Uguel707

Good Bye!

http://www.bitdefender.com/html/free_tools.php