Re: Funlove virus attacking Print ques

From: Pål Eivind Jacobsen Nes (waffle@EXABINARY.COM)
Date: 02/05/02

Date:         Tue, 5 Feb 2002 00:39:51 +0100
From: Pål Eivind Jacobsen Nes <waffle@EXABINARY.COM>

On Mon, 4 Feb 2002, McDaniel, Tom wrote:
> The systems affected are Win2K advanced server boxes running in a
> cluster...They both have Norton Anti Virus CE 7.51 installed in a managed
> environment...We believe that these "Remote down level Documents" Are coming
> from FunLove infected client systems...Every time we are able to catch one,
> that is the case...The capability we were asking Symantec for was a
> dependable way of sniffing out the culprits...

This is a virus that infects Windows executable (*.EXE, *.SCR and *.OCX)
files on both Win9x/Me and WinNT/2000. When run, it will install a file
called FLCSS.EXE in the windows system directory (e.g. C:\WINDOWS\SYSTEM

Under WinNT this file is running as a system process service and infects
files on local disks and will also spread itself to shared network drives.
Under Win9x it runs as a hidden program not visible in the task list.
If it is run on an NT administrator account on NT 4.0, it will attempt to
patch the files NTOSKRNL.EXE and NTLDR in such a way that NT's admin
privileges are given to all that asks for it.

For several reasons it may be difficult to get rid of :

Since the FLCSS.EXE file is held open by Windows, it cannot be deleted as
long as it is running. You may use NVC to do what is called a "deferred
delete" - i.e. the file will be deleted on next boot-up. The problem is
that when you boot the machine and the file is deleted, other infected
programs may be run, which will install the virus all over again.

If you have a LAN and FunLove has spread in your LAN you have hard work
ahead of you. You have to isolate all infected machines from your network.
Before your start to clean workstations you should do a scan and make sure
that all your servers are clean, this to avoid reinfection when you
reconnect the computers to the network after cleaning.

NTOSKRNL.EXE and NTLDR are patched by the virus in such a way that they
should be copied back to the system from a backup, or you may replace
these files by reinstalling an already installed Service Pack e.g.

To avoid new infection you can create a folder named FLCSS.EXE in Windows'
system folder, FunLove will then not be able to create the file FLCSS.EXE
and will not succeed to spread itself.

Pål Eivind Jacobsen Nes
Technical Consultant
Norman Data Defense Systems

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Delivery co-sponsored by Qualys - Make Your Network Secure oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Go Beyond PARTIAL Security: FREE White Paper

Stop hassling with half-baked ENTERPRISE SECURITY. FREE White Paper shows you how to ensure TOTAL security for your Internet perimeter with the most current and most complete PROACTIVE Vulnerability Assessment solution. Get your FREE White Paper now. Click here! oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo