Threat behavior
Virus:Win32/Funlove.4099 is a file-infecting virus. This virus targets certain types of executable files on local drives and writeable network resources, and can compromise security by giving full administrator permissions to all users after the infected computer restarts.
When Virus:Win32/Funlove.4099 runs, it performs the following actions:
Drops a copy of itself as <system folder>\flcss.exe (detected as Virus:Win32/Funlove.4099.dr)
Executes <system folder>\flcss.exe
On Windows 9x/Me computers, Funlove.4099 runs as a Windows application
On Windows NT computers, Funlove.4099 runs as a Windows system service named "FLC"
Infects executable files with the file extensions .exe, .ocx and .scr:
Virus:Win32/Funlove.4099 appends its code to these files located on local hard drives or writable networked drives, including the common Windows shell application explorer.exe, causing further infection
Virus:Win32/Funlove.4099 avoids infecting files with names that begin with specific strings
If a Web site hosts infected Active controls (executable files with .ocx file extensions), the ActiveX control can infect the user browsing the infected site and control, specifically if the control is installed as a result of browsing the Web site
If the current user has administrator permissions, modifies the system files NTLDR and NTOSKRNL.EXE on Windows NT based computers:
at next Windows startup, all users are granted administrator permissions
Virus:Win32/Funlove (and all users) then will have unrestricted access to all files
in some cases the system files NTLDR and NTOSKRNL.EXE become corrupted, requiring restoration from backup, or reinstallation
If a user manually executes the dropped virus file named <system folder>\flcss.exe within a command shell, or in MS-DOS mode, the dropped virus displays the text "~Fun Loving Criminal~". The program then tries to reboot the computer so that the virus will run when Windows restarts. This attempt may fail, however, causing possible data loss if the computer locks up.
Prevention
