1. /
  2. Security Response/
  3. W32.Funlove.4099

W32.Funlove.4099

Risk Level 2: Low

Discovered:
November 8, 1999
Updated:
February 13, 2007 11:34:17 AM
Also Known As:
Win32.FunLove.4070 [KAV], W32/FunLove.gen [McAfee], PE_FUNLOVE.4099 [Trend], W32/Flcss [Sophos], Win32.Funlove.4099 [CA]
Type:
Virus
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

W32.FunLove.4099 replicates under Windows 95/98/Me and Windows NT. It infects programs that have .exe, .scr, and .ocx extensions. What is notable about this virus is that it uses a new strategy to attack the Windows NT file security system, and it runs as a service on Windows NT systems.



Additional repair information
In most cases, Norton AntiVirus (NAV) can repair files that are infected with W32.FunLove.4099:
  • Virus definitions dated earlier than October 10, 2000, did this by changing the 4099 bytes of viral code to zeros. The repaired file will therefore be 4099 bytes longer than it was before it was infected.
  • Virus definitions dated October 10, 2000, or later can inoculate files that are infected with W32.FunLove.4099, preventing them from being reinfected. Before FunLove attempts to infect a file, it first checks to see whether the file is already infected with FunLove. (This is a common procedure used by many viruses. The virus uses an algorithm to determine whether the file is infected.) To do this, the file size is divided by 256. If the remainder is 3, the virus assumes the file has already been infected, and it does not reinfect the file.

    When FunLove is detected with definitions dated October 10, 2000, or later, the viral code is removed from the file. To ensure that the file cannot be reinfected, NAV may then add extra bytes to the end of the file so that if it is again accessed by FunLove, then the virus will assume that the file has already been infected, and it will not reinfect it.

DEC Alpha computers
W32.Funlove.4099 will not be able to infect files on an Alpha computer, unless those files are accessible by a Wintel computer, and that computer places infected files on the Alpha computer. To clean infected files on the Alpha platform, isolate the computer from the network and then run an on-demand scan.

Antivirus Protection Dates

  • Initial Rapid Release version November 11, 1999
  • Latest Rapid Release version August 20, 2008 revision 017
  • Initial Daily Certified version November 11, 1999
  • Latest Daily Certified version August 20, 2008 revision 016
  • Initial Weekly Certified release date pending
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Medium
  • Number of Infections: More than 1000
  • Number of Sites: More than 10
  • Geographical Distribution: High
  • Threat Containment: Moderate
  • Removal: Moderate

Damage

  • Damage Level: Medium

Distribution

  • Distribution Level: High
Writeup By: Peter Szor

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver