|Place of Origin|
|File Type(s)||.exe, .ocx, .scr|
|Infection Length||4,099 bytes|
Funlove was a network-aware virus from 1999. It was one of the last major outbreaks of actual viruses, as 1999 marked the start of worm outbreaks. It was also prominent in several cases of mishaps in quality control, as it was distributed several times accidentally by vendors.
When a file infected with Funlove is executed, it creates the file FLCSS.EXE in the system folder. This file contains the virus dropper, which is run as a hidden application in Windows 9X/ME or as a service in Windows NT. The virus will run from the file it is executed from if the FLCSS.EXE file does not work properly. It will run itself in a separate thread from the host program, so there is no delay in the progam's execution to run the virus.
The virus searches all drives from C: to Z: and then scans network resources. It infects all .exe, .ocx and .scr files on all drives and all network drives the system has write access to, appending itself to the end of the file. It avoids files with the strings aler, amon, avp, avp3, avpm, f-pr, navw, scan, smss, ddhe, dpla or mpla in their names.
There are a few variants, mostly with different infection lengths being the distinguishing feature. Researchers noted similarities between Funlove and Bolzano along with Remex. The worms Winevar and Bridex, drop a variant of the virus onto infected systems.
Shortly after its release, Funlove became widespread in the US, Britain and Czech Republic. It hit the top 10 charts several times, and was on it as late as May 2003. It struck many corporate offices in Ireland. The virus was particularly prominent in some very embarrassing incidents where it was shipped from the factories of major corporations.
Hewlett-Packard released the virus in infected files for download from its site. The drivers mostly affected Japanese users and were released between December 17 and 19 in 2000. The virus affected 51 printer and BIOS files. Five and a half years later, HP released another download infected with the same virus. It was for a printer that had been discontinued by HP and was unlikely to have spread much from this incident.
In what some observers considered one of the worst security screw-ups in malware history, Microsoft accidentally relesed the Funlove in a security fix in April of 2001. Several update files from sites for Premier Support and Microsoft Gold Certified Partners were infected. Microsoft believed the infection began on April 6 and ended on April 20. Microsoft suspended updates for two weeks to make sure the virus was cleaned off their systems.
In November 2001, Funlove was shipped by Warner Brothers on a "Powerpuff Girls Meet the Beat Alls" DVD. It infected the Autostart file of the DVD, so a computer with the DVD would be infected as soon as it was inserted.
In January of 2003, Datatilsynet, the Norwegian Data Inspectorate, sent out the virus to subscribers of its newsletter. The virus was sent to about 1,700 subscribers. Most ironic is the fact that their newsletter deals with information security.
A Dell assembly plant in Limerick, Ireland was shut down for four days in November of 1999 because of the virus. 12,000 computers, 500 of them ready to be shipped, had to be checked for the virus. No viruses were found, and some suspected that Dell feared being blamed for the outbreak in Ireland. Checking for the virus cost Dell two days of lost production.
F-Secure Antivirus, FunLove.
Peter Szor. Symantec, W32.Funlove.4099. 2007.02.13
John Leyden. The Register, Microsoft security fixes infected with FunLove virus. 2001.04.25
-. -, HP distributes virus infected drivers. 2001.01.24
-. -, Klez-H remains top nuisance. 2003.05.01
-. -, Braid fails to unpick the Web. 2002.11.05
Drew Cullen. The Register, Fun Loving Criminals torpedo Dell factory. 1999.11.19
Computerwire, The Register, Winevar worm sets sites on Symantec. 2002.11.28
Sophos Press Office, Red faces as Norway's Data Inspectorate distributes virus. 2003.01.23
Robert McMillan. IDG News (through Attrition.org), HP printer drivers hit with Funlove virus. 2006.06.02