FYI Virus Alert!
Keith
From: Hermann Flores A.
To: Hermann Flores
Sent: Tuesday, October 24, 2000 6:05 PM
Subject: Tengan cuidado con este virus / Dangerous Virus
The followed explanation is about a dangerous virus.. Its infecting each of
.exe applications files specially 32 bits app. Please update your AV
software... Try to check if you already have FLCSS.EXE in your system...
W32.Funlove.4099
Discovered on: November 8, 1999
Last Updated on: October 5, 2000 11:12:54 AM PST
Due to a recent increase in world-wide infections of this virus, SARC is
raising the awareness of this virus by adding it to the "Top Threats" list.
Although protection for this virus has been available since November 1999,
SARC recommends that users familiarize themselves with the characteristics
of this virus by carefully reading this writeup.
W32.FunLove.4099 is a Win32 virus that replicates under Windows 9x and
Windows NT systems. It infects applications with .exe, .scr, or .ocx
extensions. What is notable about this virus is that it uses a new strategy
to attack the Windows NT file security system, and it runs as a service on
Windows NT systems.
Category: Virus
Infection length: 4099 Bytes
Virus definitions: November 11, 1999
Threat assessment:
Wild:
High Damage:
Medium Distribution:
High
Wild
Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: High
Threat containment: Moderate
Removal: Moderate
Damage
Payload Trigger: Infectious File is executed and flcss.exe is dropped and
run as a regular process in C:\Windows\System.
Payload:
Modifies files: Win32 files with .exe, .scr, or .ocx extensions.
Degrades performance: Corrupts Windows Applications.
Causes system instability: Causes degradation in system performance and
sometimes crash.
Distribution
Shared drives: Runs as an NT service and can spread on the local drives.
Target of infection: Win32 Files with .exe, .scr, or .ocx extensions.
Technical description:
W32.FunLove.4099 infected applications will create the program file
flcss.exe in the Windows System directory upon execution on both Windows NT
and Windows 95/98 systems. If flcss.exe (4608 bytes) can be written to the
hard disk, the virus executes it as a service on Windows NT machines. If for
any reason the service could not be executed, the virus will create a thread
inside the infected application. That thread will infect the local and
network drives by searching for PE (Portable Executable) files with .exe,
.scr, or .ocx extensions. The thread will then execute inside the infected
process and the main thread of the application will get control. Therefore,
the user will not easily notice any delays. When the virus can execute
itself as a service process under the "FLC" name, other infected programs
will try to insert the flcss.exe file, but will not create a new infection
thread. W32.FunLove.4099 is the second virus that runs as a Service on
Windows NT. WNT.RemEx.A (W32.RemoteExplorer) is very similar in its
functions to W32.FunLove.4099, but W32.FunLove.4099 can work on both Windows
95/98 and Windows NT. Therefore, it is considered more successful than
WNT.RemEx.A (W32.RemoteExplorer). When the virus runs as a service it can
spread on the local drives without anyone logged on the machine. That way
the virus will be able to infect files that are normally not accessible
after the log on (for example, the virus can infect explorer.exe on a
Windows NT system).
On Windows 95/98 machines, infected programs will copy flcss.exe to the hard
disk and try to execute it as a regular process. If the process cannot be
executed, the virus will try to execute the infection thread inside the
infected process and executes the host program.
This virus also attacks the Windows NT file security system. In order for
the virus to attempt the attack, it needs administrative rights on a Windows
NT Server or Windows NT Workstation during the initial infiltration. Once
the Administrator or someone with the equivalent rights logs on,
W32.FunLove.4099 has the opportunity to patch ntoskrnl.exe (the Windows NT
kernel located in the WinNT\System32 directory). The virus modifies only 2
bytes in a security API called SeAccessCheck that is part of ntoskrnl.exe.
Thus, W32.FunLove.4099 is able to give full access to all users to each file
regardless of its protection, whenever the machine is booted with the
modified kernel. This means that a Guest - who has the lowest possible
rights on the system - will be able to read and modify all files, including
files that are normally accessible only by the Administrator. This is a
potential problem since the virus can spread everywhere it wants to
regardless of the actual access restrictions on the particular machine.
Furthermore, after the attack, no data can be considered protected from any
user.
Unfortunately, the consistency of ntoskrnl.exe is checked in only one place.
The loader, ntldr, is supposed to check it when it loads ntoskrnl.exe into
physical memory during machine boot-up. If the kernel gets corrupted, ntldr
is supposed to stop loading ntoskrnl.exe and display an error message even
before a "blue screen" appears. In order to avoid this particular problem
W32.FunLove.4099 also patches ntldr, so that no error message will be
displayed and Windows NT will boot just fine even if its checksum does not
match with the original. Since no code checks the consistency of ntldr
itself, the patched kernel will be loaded without notification to the user.
Since ntldr is a hidden, system read-only file, W32.FunLove.4099 changes the
attributes of it to "archive" before it attempts to patch it. The virus does
not change the attribute of ntldr back to its original value after the
patch. FunLove can also infect local and networks drives. It enumerates the
mapped network drives and infects PE files on those machines. Additionally,
the above described ntoskrnl.exe/ntldr patch is performed on the network
drives. Whenever a machine maps the system drive of a Windows NT system with
efficient rights, the virus modifies the kernel and the loader components
over the network.
The ntoskrnl.exe and ntldr patches are executed by a routine picked up from
the Bolzano virus. In fact, more than fifty percent of the virus code shows
similarities to the Bolzano virus.
The virus does not infect files that begin with the following characters in
their names:
aler
amon
avp
avp3
avpm
f-pr
navw
scan
smss
ddhe
dpla
mpla
These are names of anti-virus programs, as well as a few other applications.
Removal:
On Windows 9x systems:
Update NAV Rescue Disk Set or Norton SystemWorks Rescue Disk Set
Restart the computer using the Rescue Boot Disk
Follow the onscreen instruction to scan the system using the Rescue Disk
Delete the flcss.exe file that NAV detects as W32.Funlove.4099
Let NAV repair other files that NAV detects as infected with
W32.Funlove.4099
On Windows NT systems:
Click here to download a tool to disable W32.Funlove NT service, and to fix
the ntoskrnl.exe and ntldr.exe system files.
The FLCSS.EXE viral program runs as a Win NT service; thus, it needs to be
disabled before repairing other infected files.
You need to replace ntoskrnl.exe and ntldr.exe system file.
On both removal step above, you need to have administrator rights to the Win
NT system.
Hermann Flores
herm...@vtr.net