You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Funlove.4099

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Funlove.4099 is run as:

  • Another system service (called FLC), in Windows NT computers.
  • A process, in Windows 95 and Windows 98 computers.

Its effects are:

  • It affects Windows NT, Windows 98 and Windows 95 computers.
  • It grants administrator rights to all users that work with the infected computer.
    In order to do this, Funlove.4099 needs a Windows NT 4.0 computer, which has an administrator session open. In this case, it modifies certain system files. The next time the computer is restarted, any user will be considered the administrator.
  • The files it infects are Win32bit PE type and have an EXE, OCX or SCR extension.
  • It infects files in all the disk drives in the affected computer and in the disk drives it shares in the network to which it is connected, and which have write access (from C: to Z:).

Infection strategy 

Funlove.4099 creates the file FLCSS.EXE, in the Windows system directory (by default,C:\ WINDOWS\ SYSTEM or C:\ WINNT\ SYSTEM32). The function of FLCSS.EXE is to find and infect files with an EXE, SCR or OCX extension. It looks for these files in all disk drives (from C: to Z:).

Funlove.4099 modifies the files NTOSKRNL.EXE and NTLDR, when it is run in Windows NT 4.0 and the user has administrator rights.

  • By modifying the NTOSKRNL.EXE file, it can grant full access to the system. In order to do this, Funlove.4099 modifies two bytes in the API function SeAccessCheck.
  • By modifying the NTLDR file, it avoids the changes to the NTOSKRNL.EXE file being discovered. It does this by modifying one byte of this file.

Funlove.4099 also makes previous modifications in the disk drives of Windows NT computers that belong to or are mapped in a network.

Means of transmission 

Funlove.4099 mainly spreads through computer networks.

In order to carry out its infection, Funlove.4099 infects files in all the disk drives in the affected computer.

Funlove.4099 also infects files in all the shared drives in the network to which it is connected, provided that they have write access.