Win32.Funlove( Win32_FLC, Win32.FLC, FLCSS )
SINTOMI: DESCRIZIONE TECNICA: Win32.Funlove.4099 is a Win32 virus that infects Windows 32 portable executable (PE) files, including .exe, .ocx and .scr file types, on Windows 9x and Windows NT 4.0, and Windows 2000 machines.When an infected file is run, the virus creates the flcss.exe file in the Windows system folder (\Windows\System for Windows 95/98/Me or \Winnt\System32 for Windows NT). This file is then executed, infecting files from the Windows and Program folders. The virus creates a thread inside the infected program that infects portable executable files with the extensions .exe, .ocx and .scr on local and network drives. While infecting a file the virus writes its code to the end of the file - to the last file section and patches file's startup routine with a 8 byte long code that passes control to virus body. Being activated the virus restores these 8 bytes first and then starts its main code. Files names beginning with the following letters are excluded and will not be infected: ALER AMON AVP AVP3 AVPM F-PR NAVW SCAN SMSS DDHE DPLA MPLA The virus will attempt to gain administrative rights on Windows NT. When someone with administrator rights logs on, the virus modifies the NT kernel (NTLDR and C:\WinNT\System32\ntoskrnl.exe files) to allow Guest administrative rights to all files, including the ability to read and modify files. This allows access to normally restricted files when a user with restricted rights login. ISTRUZIONI DI RIMOZIONE: BitDefender can disinfect or delete automatically the files infected by this particular virus. The modified registry entries should be corrected manually.
If you are running Windows 95/98/Me you will have to apply the following patch provided by Microsoft to stop the virus from using the Share Level Password vulnerability. ANALIZZATO DA: Victor Sorin Dudea BitDefender Virus Researcher |