Funlove???

Discussion in 'malware problems & news' started by Uguel707, Dec 23, 2002.

Thread Status:
Not open for further replies.
  1. Uguel707

    Uguel707 Graphic Artist

    Joined:
    Nov 9, 2002
    Posts:
    2,999
    Location:
    San Diego
  2. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,347
    Location:
    The Netherlands
  3. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    There is a recent version floating around these days.

    Aliases: Win32/Winevar.A, I-Worm.Winevar, W32/Korvar, W32/Winevar@mm, W32.HLLW.Winevar


    WORM_BRAID.A
    Discovered: Nov. 4, 2002

    Detection available: Nov. 4, 2002

    Date of origin: Nov. 4, 2002
    Details:



    Installation of PE_FUNLOVE.4099


    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BRAID.A&VSect=T







    Payload Trigger: Infectious File is executed and flcss.exe is dropped and run as a regular process in C:\Windows\System.
    Payload:
    Modifies files: Win32 files with .exe, .scr, or .ocx extensions.
    Degrades performance: Corrupts Windows Applications.
    Causes system instability: Causes degradation in system performance and sometimes crash.
    http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=PE_FUNLOVE.4099&VSect=T



    PE_FUNLOVE.4099


    Note:
    This virus searches for network shares. When it attempts to infect a printer share, a Network Downlevel Document error appears in the printer queue. This is an observable adverse effect and occurs as a result of the attempt of the virus to infect the Windows NT boot file NTLDR that it assumes can be found in all network shares. This error may produce erroneous printing of garbage data. Print queues may also be disrupted as a result of the traffic caused by infected network clients attempting to infect the printer shares.



    Upon execution, the virus drops the file FLCSS.EXE in the Windows System Folder. It then infects all EXE, SCR, and OCX files in the Program Files folder, including sub folders.

    While EXPLORER.EXE is in memory, the virus re-executes at every system startup. In addition, because EXPLORER.EXE and other system files execute when Windows is loaded, the virus cannot be cleaned in Windows.

    The virus attaches the FLCSS.EXE file at the end of the last section of infected files. For it to execute and jump directly to the entry point of the FLCSS.EXE attachment, it modifies the entry point of the host file. Infected files increase by 4,099 Bytes.





    Description:
    Note: Several Microsoft Hotfixes downloaded between April 6-20 from Microsoft's Premium Support and Gold Certifies Web sites were infected with PE_FUNLOVE.4099 a.k.a. the Fun Love virus. As of now there are no reports that other Microsoft Hotfix Web sites are infected. However, Trend Micro advises all customers to download the latest pattern file to ensure protection against this file infector virus.

    This virus infects all Win32 type Portable Executable (PE) files such as .EXE, .SCR, and .OCX in both Windows 9x and Windows NT 4.0. platforms. It searches for all Shared Network Folders with write access and then infects the files within them. To infect NT system files, the virus patches the integrity checking.




    Solution:


    On a clean machine, download a copy of our tool Fix_Flc.com to a clean diskette, and write-protect it.
    Trend requests all users read the "Instructions" text file before using this tool.
    Run the tool on the infected machine, from the diskette.
    Reboot the machine.
    Close all Explorer windows, then go to the MS-DOS prompt (Start|Programs|MS-DOS Prompt).
    Insert the 2nd disk of the Emergency Rescue Disks(ERD), and then type this command:
    A:\Pcscan /v /c /A /NOBKUP.
    Then follow the instructions.
    Note: This will scan and clean all infected files, including files with extensions .OCX and .SCR.

    _______________________________________________
    DOS FunLove.4099 Fix Tool
    http://www.symantec.com/avcenter/venc/data/dos.funlove.4099.fix.tool.html
     
  4. Uguel707

    Uguel707 Graphic Artist

    Joined:
    Nov 9, 2002
    Posts:
    2,999
    Location:
    San Diego
  5. Uguel707

    Uguel707 Graphic Artist

    Joined:
    Nov 9, 2002
    Posts:
    2,999
    Location:
    San Diego
    Say!

    I've found another site that gives a free antidote which seems easier to proceed with than the one Symantec proposes.
    N.B : I don't know much about this site but it seems good to know! ;) Uguel707

    Good Bye!

    http://www.bitdefender.com/html/free_tools.php
     
Thread Status:
Not open for further replies.