Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:W32/Funlove.4099
Date discovered:11/12/1999
Type:File infector
In the wild:No
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:Medium to high
Static file:No
File size:4099 Bytes
IVDF version:6.18.00.16 - Monday, March 17, 2003

 General Method of propagation:
   • Infects files


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Infects files
   • Lowers security settings

 Files It modifies the following files:
   • %SYSDIR%\Ntoskrnl.exe
   • C:\ntldr
As a result various security mechanisms are disabled.



The following file is created:

%SYSDIR%\FLCSS.EXE Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: W32/FunLove.4099

 File infection Infector type:

Appender - The virus main code is added at the end of the infected file.


Method:

This direct-action infector actively searches for files.


Infection length:

- 4099 Bytes


Ignores files that:

Contain any of the following strings in their name:
   • aler; amon; avp; avp3; avpm; f-pr; navw; scan; smss; ddhe; dpla; mpla


The following files are infected:

By file type:
   • *.exe
   • *.scr
   • *.ocx

 Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\FLC]
   • "Type"=dword:00000001
     "Start"=dword:00000003
     "ErrorControl"=dword:00000001
     "Tag"=dword:0000000f
     "ImagePath"="%SYSDIR%\FLCSS.EXE"
     "DisplayName"="FLC"
     

 Miscellaneous String:
Furthermore it contains the following string:
   • ~Fun Loving Criminal~

Description inserted by Razvan Olteanu on Tuesday, July 13, 2010
Description updated by Razvan Olteanu on Wednesday, July 14, 2010

Back . . . .