Funlove

Funlove

Type	File virus
Creator
Date Discovered	08-NOV-1999
Place of Origin
Source Language
Platform	MS Windows
File Type(s)	.exe, .ocx, .scr
Infection Length	4,099 bytes
Reported Costs

Funlove was a network-aware virus from 1999. It was one of the last major outbreaks of actual viruses, as 1999 marked the start of worm outbreaks. It was also prominent in several cases of mishaps in quality control, as it was distributed several times accidentally by vendors. Funlove also had a habit of piggybacking on worms.

Table of Contents

Behavior

When a file infected with Funlove is executed, it creates the file FLCSS.EXE in the system folder. This file contains the virus dropper, which is run as a hidden application in Windows 9X/ME or as a service in Windows NT. The virus will run from the file it is executed from if the FLCSS.EXE file does not work properly. It will run itself in a separate thread from the host program, so there is no delay in the program's execution to run the virus.

The virus searches all drives from C: to Z: and then scans network resources. It infects all .exe, .ocx and .scr files on all drives and all network drives the system has write access to, appending itself to the end of the file. It avoids files with the strings aler, amon, avp, avp3, avpm, f-pr, navw, scan, smss, ddhe, dpla or mpla in their names.

Variants

There are a few variants, mostly with different infection lengths being the distinguishing feature. Researchers noted similarities between Funlove and Bolzano along with Remex. The worms Winevar and Bridex, drop a variant of the virus onto infected systems. A Sircam variant became infected with Funlove and spread it around in early 2001. If this was intentional is uncertain.

Effects

Shortly after its release, Funlove became widespread in the US, Britain and Czech Republic. It hit the top 10 charts several times, and was on it as late as May 2003. It struck many corporate offices in Ireland. The virus was particularly prominent in some very embarrassing incidents where it was shipped from the factories of major corporations.

Hewlett-Packard released the virus in infected files for download from its site. The drivers mostly affected Japanese users and were released between December 17 and 19 in 2000. The virus affected 51 printer and BIOS files. Five and a half years later, HP released another download infected with the same virus. It was for a printer that had been discontinued by HP and was unlikely to have spread much from this incident.

In what some observers considered one of the worst security screw-ups in malware history, Microsoft accidentally released the Funlove in a security fix in April of 2001. Several update files from sites for Premier Support and Microsoft Gold Certified Partners were infected. Microsoft believed the infection began on April 6 and ended on April 20. Microsoft suspended updates for two weeks to make sure the virus was cleaned off their systems.

In November 2001, Funlove was shipped by Warner Brothers on a "Powerpuff Girls Meet the Beat Alls" DVD. It infected the Autostart file of the DVD, so a computer with the DVD would be infected as soon as it was inserted.

In January of 2003, Datatilsynet, the Norwegian Data Inspectorate, sent out the virus to subscribers of its newsletter. The virus was sent to about 1,700 subscribers. Most ironic is the fact that their newsletter deals with information security.

A Dell assembly plant in Limerick, Ireland was shut down for four days in November of 1999 because of the virus. 12,000 computers, 500 of them ready to be shipped, had to be checked for the virus. No viruses were found, and some suspected that Dell feared being blamed for the outbreak in Ireland. Checking for the virus cost Dell two days of lost production.