|
Dear McAfee.com Dispatch Subscriber:
W32/FunLove.4099 is a new virus. AVERT has assigned it a MEDIUM risk assessment. W32/FunLove.4099 is a parasitic Win32 PE file infector that works on both Win9x and WinNT 4.0. It infects .EXE, .SCR and .OCX files. When the virus is first run, it drops a file called FLCSS.EXE into the %SYSTEM% folder. The virus then directly infects all .EXE, .SCR, and .OCX files in the folders Program Files and WINDOWS/WINNT, including any sub-folders. Because the default Windows shell Explorer.exe is kept in here, the virus is re-executed whenever the system is restarted. The virus uses a routine lifted from the W32/Bolzano virus to patch the NT files NTOSKRNL.EXE and NTLDR. This enables the virus to have full access to the system after the next system reboot. Periodically, the virus scans any network shares with write access, and infects any EXE, SCR or OCX files on the shared network drives. The virus is not encrypted or polymorphic. Infected files have a copy of the FLCSS.EXE file added to the end of the last PE section, and the length of the infected files increases by 4099 bytes. When executed under DOS, the file FLCSS.EXE displays the message ~Fun Loving Criminal~ and then tries to reset the machine in order to load Windows.
|
- Re: [CTRL] FYI - Virus Alert W32/FunLove.4099 Eagle 1
- Re: [CTRL] FYI - Virus Alert W32/FunLove.4099 Tatman, Robert
- Re: [CTRL] FYI - Virus Alert W32/FunLove.40... Rodrigo Cesar Banhara
