Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Clean Virus In Windows NT

0 views
Skip to first unread message

Tee Eng Teng

unread,
Jan 28, 2003, 4:35:06 AM1/28/03
to
Can any one guide me how to boot from DOS which can write to NTFS partition
in Windows NT for clean Funlove virus ..

Please Help ... Urgent !!!


Regards,
Tee ET.


Jerry Leslie

unread,
Feb 3, 2003, 2:09:56 PM2/3/03
to
Tee Eng Teng (te...@lion.com.my) wrote:
: Can any one guide me how to boot from DOS which can write to NTFS partition

: in Windows NT for clean Funlove virus ..
:
: Please Help ... Urgent !!!
:
:
http://www.europe.f-secure.com/v-descs/funlove.shtml
F-Secure Computer Virus Information Pages: FunLove

"NAME: FunLove
ALIAS: Win32_FLC, Win32.FLC, FLCSS
SIZE: 4070

[snip]

The virus also patches the NTLDR and WINNT\System32\ntoskrnl.exe files
the similar way Bolzano virus does. The patched files are not
recoverable and should be restored from backup.

[snip]


Disinfection of Funlove:

Disinfection of Funlove requires removing the virus from all
disinfectable files with F-Secure Anti-Virus and renaming or deleting
of all locked or non-disinfectable files including Funlove dropper
FLCSS.EXE file. To be able to disinfect or delete locked files, you
have to exit to pure DOS and clean a system with a DOS version of
F-Prot or AVP. Or in case of Windows NT, you have to rename the
file(s) with a non-executable extension (for example *.EX1) and
restart a system.

In all cases FLCSS.EXE file and all non-disinfectable files should be
deleted or renamed before Windows is started next time or a system
will be re-infected.

If infection is in a network, you could protect clean systems with
F-Secure's Anti-Funlove utility:

ftp://ftp.europe.f-secure.com/anti-virus/tools/antifun.zip

and then disinfect all infected workstations separately. Note that
GateKeeper/OAS setting should be set to 'Disinfect Automatically' when
infection is in a network and it's not possible to take it down. But
it is advised to take network down during disinfection as Funlove will
try to spread from infected to clean systems via network. Our utility
should stop it from doing that, but it's safer to disinfect when
network is not functioning.

Note that a system should be clean before the utility can be
installed.

Also as the virus patches the \NTLDR and WINNT\System32\ntoskrnl.exe
files to disable NT's security the patched files should be restored
from a backup."

HTH,

--Jerry Leslie (my opinions are strictly my own)
Note: les...@jrlvax.houston.rr.com is invalid for email

0 new messages