FRISK Software International

Summary of W32/FunLove.4099
Discovered: 11 Nov 1999
Definition files: 11 Nov 1999
Infection Method:File infection on local and shared network drives.
Jump to:
Brief description
Technical description

Brief Description
Funlove is a memory resident PE executable virus. It spreads over local networks and infects files on all local hard drives.

Technical Description

When executed it tries to pinpoint needed APIs for itself, if that succeeds it continues running the virus code, else it terminates and returns the control to the host. The virus checks if the current host is running either windows 95/98/ME or a NT system then it drops a clean copy of itself into the windows directory. In the dos stub of the dropped file the author has replaced the default error message if the user attempts to run the file in dos mode: "This program cannot be run in DOS mode." with this text "~Fun Loving Criminal~." That is where the name of the virus is derived from.

NT systems:
If it finds out that the host is running on a NT system then it will register the dropped file as a service with the name FLC. This service will run even though the user logs off, it will only terminate when the user shuts down the system. Then the virus will return the control to the host. The service takes over and runs the infection code.

95/98/ME systems:
On windows 95/98/ME systems it skips that part because services can't be created on those operating systems, instead it executes the dropped file as a hidden process. Same as for the NT system the virus will return the control to the host. And the process will take over and run the infection code.
If this fails on both 95/98/ME and NT systems the virus will run the infection code as a thread in the current process.

Infection code:
First it will remain inactive for one minute and twenty seconds. When it "wakes up" and scans through all drives from A to Z but it skips remote drives in this pass. It infects files with these extensions .exe .ocx and .scr files it finds during this scan. It also tries to patch NTLDR and ntoskrnl.exe on every local hard drive it scans. In case the operating is not installed on the default location(C drive). It uses two different code patches depending on the operating system, one for Windows NT and another one for Windows 2000. When these files has been patched and the computer has been rebooted every user on the machine has a administrator privileges, the probable reason for this is to boost infections over networks. When it is done scanning local drives it sleeps for 10 minutes. After that the odds are 1 in 32 that network scanning is invoked. The network drive scanning is very similar to the local drive scanning, it searches for the same files to patch on every drive and infects the same files. Then it will repeat the process, sleep for one minute and twenty seconds etc.

It doesn't infect files that begins with :


This list is crypted and kept near the end of the virus code.

When infecting files it puts the virus body at the end of the last section of the host. It patches the first eight bytes, that are at the hosts entry point, with a jump to the last section were the body of the virus is located.

Analysis / Description: Ragnar Gisli & Sigurdur A. Stefnisson FRISK Software international

Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:


perComp Verlag
(in German)