Funlove virus attacking Print ques

From: McDaniel, Tom (Tom_McDaniel@BOSE.COM)
Date: 02/04/02 

Date:         Mon, 4 Feb 2002 13:14:36 -0500
From: "McDaniel, Tom" <Tom_McDaniel@BOSE.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

The below message was some banter that went on between myself and
Symantec...They have a proposed fix and I thought that this forum might be
interested in giving it a shot if you are having similar problems. See Below
and note response from Symantec at the bottom:

Author: Tom McDaniel
Date: 08:26 AM, Feb 01 PDT
Subject: Funlove attacking Print Ques

Product:
Supported operating system: Windows NT/2000
Name of the virus, trojan, or worm: FunLove

Hello,
I sent the following Email to One of your Senior Systems engineers:

*******************************************************************
Steve,
Hope you are well...We are having a continuing problem here at Bose
with Funlove...See Below EMails...The question we have for you is: Is
there any way that Symantec knows of to control the propagation of
Funlove in Print Ques?...We are fighting it in the trenches by
weeding out the clients here and there, and the problem has
diminished, but not disappeared...I would appreciate any insight you
can give us on this, or at least point us in the right
direction...Thnx in advance...Tom

-----Original Message-----
From: Siefert, Steven
Sent: Wednesday, January 30, 2002 5:35 PM
To: Anderson, Neil
Cc: Beltramini, Suzanne; Gardner, David; Simon, Issac; McDaniel,
Tom
Subject: Funlove Virus Continues
Importance: High

Neil,

The funlove virus woe's continue. There was another hit on
printserver today (11/30/02) at 11:03 am. All of the "remote
downlevel documents" were from BL2385. I'd appreciate if you could
follow up on 2 things for us.

1. Find out what machine BL2385 was on at this time and have his
machine checked for infection.

2. Research with Symantec what can be done about the printserver
queues being flooded. This is a continuing and serious problem
since it spikes the processor usage, resultantly slowing down
printing and overall machine function.

I'll be out Thursday and Friday, so please touch base with David if
you need any further information on the symptoms on printserver.

Steven Siefert
Systems Analyst
CIS - NT Infrastructure Group
Bose Corporation

********************************************************************

I Got The following Reply From Him:

********************************************************************
Tom,

That's a good question. I'm sure you have been to the Symantec
Security
Response site (http://securityresponse.symantec.com/) and have viewed
the
information there. I think your best bet would be to contact Platinum
Support. They may have some "tips and tricks" on how to rid your
systems of
FunLove. They also have ready access to the Symantec Security
Response
personnel.

Steve Maxwell
Senior Systems Engineer
Symantec Corporation
266 Second Avenue
Waltham, MA 02451
*********************************************************************

We are Platinum members here at Bose and we need a solid answer to
this question as it is disrupting our Printserver environment
dramatically. I am doing as he requested and contacting you guys
first for resolution...If you cannot help, can you please get it to
someone that can...Thnx...Tom

Author:Randy Rejda [Symantec]
Date:10:19 AM, Feb 04 PDT
Subject:Re: Funlove attacking Print Ques

Hello Tom,

Thank you for using our Online Support groups.

>..We are having a continuing problem here at Bose
>with Funlove...See Below EMails...The question we have for you is: Is
>there any way that Symantec knows of to control the propagation of
>Funlove in Print Ques?...We are fighting it in the trenches by
>weeding out the clients here and there, and the problem has
>diminished, but not disappeared...I would appreciate any insight you
>can give us on this, or at least point us in the right
>direction...

Please have a look at the following Knowledge Base Document. It
contains information and suggestions to solve this issue:

Title: 'How to determine the source of a FunLove infection'
Document ID: 2000102009031148
> Web URL:
http://service1.symantec.com/support/ent-security.nsf/docid/2000102009031148
?Open&src=w

Please let us know if we can be of further assistance.

Sincerely,

Randy Rejda
Symantec Enterprise Technical Support

Tom McDaniel {*}
Business Systems Management
Bose Corporation

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Qualys - Make Your Network Secure
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Go Beyond PARTIAL Security: FREE White Paper

Stop hassling with half-baked ENTERPRISE SECURITY.
FREE White Paper shows you how to ensure TOTAL security for your Internet
perimeter with the most current and most complete PROACTIVE Vulnerability
Assessment solution. Get your FREE White Paper now. Click here!
https://www.qualys.com/forms/techwhite_86.html
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo