Add new Bookmark
Do you need some help? Enter your problem or question below and an Exhibited Guru will get back to you. If you have a serious problem, it might be best to ask a moderator instead by selecting "Mod Box" from the drop down. Remember, this isn't for reporting bugs.



L29 EXC AMF h4_src=DOS.[Win32:FunLove-C].exe

Back Assign Food Feed
Heal
Battle Enclosure Refresh Image Next

Basics

Care

Biology

Skills

Relationships

Design

Name
h4_src=DOS.[Win32:FunLove-C].exe
Species Gender Age
Herrerasaurus Male 54 (22 years old)
Owner Breeder
UnwrittenTale (#3511) UnwrittenTale (#3511)
Contract
This dinosaur has no contract tied to it.
Notes
~ { FunLOVE} ~

Via securelist.com

Virus.Win32.FunLove.4070

Detected Nov 11 1999 20:00 GMT
Released Nov 11 1999 20:00 GMT
Published Mar 21 2000 12:26 GMT

Technical Details

FunLove (aka Fun Loving Criminals) is a benign memory resident parasitic Win32 virus. It affects PE EXE files on local and network drives. Because of its network spreading ability, the virus can infect the local network from one infected workstation, in the case that the network access permission allows for the writing of this user.

The virus contains the following text strings:

~Fun Loving Criminal~

When an infected file is run, the virus creates a FLCSS.EXE file in the Windows system directory, writes its "pure" code to there and runs this file. This virus "dropper" (FLCSS.EXE file) has a Win32 PE format and is executed by the virus as a hidden Windows application (under Win9x) or as a service (under WinNT), and the infection routine takes control.

In case an error has occurred while creating the dropper file (when the virus is run from an infected file), the virus runs the infection routine from its example in the infected host file. The file searching and infection process is run in the background as a "thread," and as a result, the host program is executed with no "visible" delays.

The infection routine scans all local drives from C: till Z:, then looks for network resources, scans subdirectory trees there and infects PE files that have a .OCX, .SCR or .EXE name extension. While infecting a file, the virus writes its code to the end of the file to the last file section and patches its entry routine with a "JumpVirus" instruction. The virus checks file names and does not infect the files: ALER*, AMON*, _AVP*, AVP3*, AVPM*, F-PR*, NAVW*, SCAN*, SMSS*, DDHE*, DPLA*, MPLA*.

The virus is related to the Bolzano virus family and patches the NTLDR and WINNTSystem32ntoskrnl.exe files in a similar way the "Bolzano" virus does. The patched files should be restored from backup.