Home / malware Win32.Funlove
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Funlove is also known as Win32_FLC, Win32.FLC, FLCSS.
Explanation :
Win32.Funlove.4099 is a Win32 virus that infects Windows 32 portable executable (PE) files, including .exe, .ocx and .scr file types, on Windows 9x and Windows NT 4.0, and Windows 2000 machines.
When an infected file is run, the virus creates the flcss.exe file in the Windows system folder (WindowsSystem for Windows 95/98/Me or WinntSystem32 for Windows NT). This file is then executed, infecting files from the Windows and Program folders. The virus creates a thread inside the infected program that infects portable executable files with the extensions .exe, .ocx and .scr on local and network drives.
While infecting a file the virus writes its code to the end of the file - to the last file section and patches file's startup routine with a 8 byte long code that passes control to virus body. Being activated the virus restores these 8 bytes first and then starts its main code.
Files names beginning with the following letters are excluded and will not be infected:
ALER
AMON
AVP
AVP3
AVPM
F-PR
NAVW
SCAN
SMSS
DDHE
DPLA
MPLA
The virus will attempt to gain administrative rights on Windows NT. When someone with administrator rights logs on, the virus modifies the NT kernel (NTLDR and C:WinNTSystem32
toskrnl.exe files) to allow Guest administrative rights to all files, including the ability to read and modify files. This allows access to normally restricted files when a user with restricted rights login.Last update 21 November 2011