From: James Harnett USWEST NET> Date: 13 nov 1999 Subject: Virus Alert #2 Below is another "Virus Alert" that I recieved from Computer Associates (Date: Fri, 12 Nov 1999 19:16:52 -0500). Remember that there are litereally thousands thousands (I'll get a real number for you soon) of potentially harmful viruses. The Anti Virus Software developers are constatly trying to keep up with them and send Virus Signature Updates to the users of their primary software. All of these packages are about the same in cost, but the Updates are free to you if you have one or more of their licenses. I strongly recomment that you invest in this form of insurance for your system, hard work, and data. If you are running Windows of any flavor, then you need especially to clearn how to set it up correctly and maintain it's functionality. There is an emence number of security holes in found in the Windows Operating Systems. Computer Associates International, Inc. (NYSE: CA), the world leader in mission-critical business computing, provides software, support and integration services in more than 100 countries around the world. CA has more than 17,500 employees and had revenue of $5.3 billion in fiscal year 1999. Cheers, James ============================================== AntiVirus Alert from Computer Associates Version 99.19 Date: Fri, 12 Nov 1999 19:16:52 -0500 Win32/Funlove.4099 (also known as Win32/FLC.4099 and W32/FLCSS) is a fast-infecting Windows 95/98 and NT virus that also spreads to network shares and, under NT, can interfere with security. Win32/Funlove.4099 was reported to several antivirus companies from a few, widespread sites in early November 1999. It has no deliberately damaging payload, but consequential damage from its security lowering payload on NT could be considerable. As a simple appender, Win32/Funlove.4099 works by copying its code to the end of the last section of its host. It then modifies the PE header entries to reflect the new section sizes, sets that section's characteristics to suit its needs and alters the code at the original entry point to execute the virus code. When an infected program is run, the virus code gains control. Win32/Funlove.4099 creates the file FLCSS.EXE in the system directory and extracts its code from the end of the infected host, writing it into that file. FLCSS.EXE is then executed. If run with the appropriate permissions under NT, FLCSS.EXE installs itself as a service. This shows up as "FLC" in the standard NT services list and is set to run automatically at each startup. Under Windows 9x, it runs as a hidden program that is not visible in the task list. On first running, and then periodically via a timer, this virus checks each drive for EXE, SCR (screen saver) and OCX (ActiveX control) files, infecting any it finds suitable. It also searches for accessible network shares and infects any files of the same types to which it has write access. Thus, it can spread very quickly between machines with 'generous' file sharing policies. Although it has no direct data damaging payload, under NT, Win32/Funlove.4099 patches the file NTOSKRNL.EXE, causing 'access allowed' to always be returned for file permission requests. This means that security is severely compromised on afflicted machines. During NT startup, the integrity of NTOSKRNL.EXE is checked by NTLDR, so the virus also patches NTLDR so it will allow the modified NTOSKRNL to load. These patches only work with some NT service packs, but the virus applies the patches regardless of the SP-level of its host machine, requiring restoration from backup or re-installation of these files, following disinfection of an FLC outbreak on NT machines. If FLCSS.EXE is run under DOS, it displays the string '~Fun Loving Criminal~' then attempts to reboot the machine via the keyboard controller. This is presumably in the hope that Windows will load and the virus may have another chance to run. The attempt often fails, locking the machine up instead. = = = = = = = = = = = = = = = = = = = James Harnett, (503) 282-8698 mharnett uswest net P.O. Box 12150 Portland, Oregon 97212-0150 U.S.A. = = = = = = = = = = = = = = = = = = =