W32.FunLove.4099 replicates under Windows 95/98/Me and Windows NT. It infects programs that have .exe, .scr, and .ocx extensions. What is notable about this virus is that it uses a new strategy to attack the Windows NT file security system, and it runs as a service on Windows NT systems.
Additional repair information
In most cases, Norton AntiVirus (NAV) can repair files that are infected with W32.FunLove.4099:
DEC Alpha computers
- Virus definitions dated earlier than October 10, 2000, did this by changing the 4099 bytes of viral code to zeros. The repaired file will therefore be 4099 bytes longer than it was before it was infected.
- Virus definitions dated October 10, 2000, or later can inoculate files that are infected with W32.FunLove.4099, preventing them from being reinfected. Before FunLove attempts to infect a file, it first checks to see whether the file is already infected with FunLove. (This is a common procedure used by many viruses. The virus uses an algorithm to determine whether the file is infected.) To do this, the file size is divided by 256. If the remainder is 3, the virus assumes the file has already been infected, and it does not reinfect the file.
When FunLove is detected with definitions dated October 10, 2000, or later, the viral code is removed from the file. To ensure that the file cannot be reinfected, NAV may then add extra bytes to the end of the file so that if it is again accessed by FunLove, then the virus will assume that the file has already been infected, and it will not reinfect it.
W32.Funlove.4099 will not be able to infect files on an Alpha computer, unless those files are accessible by a Wintel computer, and that computer places infected files on the Alpha computer. To clean infected files on the Alpha platform, isolate the computer from the network and then run an on-demand scan.
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.