Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Funlove.4096

 
Threat LevelHigh threatDamageSevereDistributionNot widespread

Effects 

Funlove.4096 is run as:

  • Another system service (called FLC), in Windows NT computers.
  • A process, in Windows 98/95.

Funlove.4096 has the following effects:

  • It infects files in all the disk drives in the affected computer and in the disk drives it shares in the network to which it is connected, and which have write access (from C: to Z:).

    The files it infects are Win32bit PE type and have an EXE, OCX or SCR extension.
  • In Windows NT 4.0 computers it grants administrator rights to all users that work with the infected computer.

    This means that these users can perform operations and access the information it contains. They can also access the information in other computers connected in a network with the infected computer.

    In order to do this, Funlove.4096 needs a Windows NT 4.0 computer, which has an administrator session     open. In this case, it modifies certain system files. The next time the computer is restarted, any user will be considered the administrator.
  • It displays the text ~Fun Loving Criminals~ on screen and then restarts the computer. This results in the loss of the information that has not been saved since the start of the session.

Infection strategy 

  • Funlove.4096 creates the file FLCSS.EXE, in the Windows system directory (\ Windows\ System or \ WinNT\ System32).
  • The function of FLCSS.EXE is to find and infect files with an EXE, SCR or OCX extension. It looks for these files in all disk drives (from C: to Z:).
  • Funlove.4096 modifies the files NTOSKRNL.EXE and NTLDR, when it is run in Windows NT 4.0 and the user has administrator rights.
  • By modifying the NTOSKRNL.EXE file, it can grant full access to the system. In order to do this, Funlove.4096 modifies two bytes in the API function SeAccessCheck.
  • By modifying the NTLDR file, it avoids the changes to the NTOSKRNL.EXE file being discovered. It does this by modifying one byte of this file.
  • Funlove.4096 also makes previous modifications in the disk drives of Windows NT computers that belong to or are mapped in a network.

Means of transmission 

Funlove.4096 mainly spreads through computer networks.

In order to carry out its infection, Funlove.4096 infects files in all the disk drives in the affected computer.

Funlove.4096 also infects files in all the shared drives in the network to which it is connected, provided that they have write access.