发信人: ssmxjl (苦瓜), 信区: Virus 标 题: Re: 求救:怎样干掉funlove病毒? 发信站: BBS 水木清华站 (Sun Dec 3 23:01:47 2000) W32.Funlove.4099 Discovered on: November 8, 1999 Last Updated on: November 8, 2000 3:03:16 PM PST Due to a recent increase in world-wide infections of this virus, SARC is raising the awareness of this virus by adding it to the "Top Threats" list. Although protection for this virus has been available since November 1999, SARC recommends that users familiarize themselves with the characteristics of this virus by carefully reading this writeup. W32.FunLove.4099 is a Win32 virus that replicates under Windows 9x and Windows NT systems. It infects applications with .exe, .scr, or .ocx extensions. What is notable about this virus is that it uses a new strategy to attack the Windows NT file security system, and it runs as a service on Windows NT systems. Category: Virus Infection length: 4099 Bytes Virus definitions: November 11, 1999 Threat assessment: Wild: High Damage: Medium Distribution: High Wild Number of infections: More than 1000 Number of sites: More than 10 Geographical distribution: High Threat containment: Moderate Removal: Moderate Damage Payload Trigger: Infectious File is executed and flcss.exe is dropped and run as a regular process in C:\Windows\System. Payload: Modifies files: Win32 files with .exe, .scr, or .ocx extensions. Degrades performance: Corrupts Windows Applications. Causes system instability: Causes degradation in system performance and sometimes crash. Distribution Shared drives: Runs as an NT service and can spread on the local drives. Target of infection: Win32 Files with .exe, .scr, or .ocx extensions. Technical description: W32.FunLove.4099 infected applications will create the program file flcss.exe in the Windows System directory upon execution on both Windows NT and Windows 95/98 systems. If flcss.exe (4608 bytes) can be written to the hard disk, the virus executes it as a service on Windows NT machines. If for any reason the service could not be executed, the virus will create a thread inside the infected application. That thread will infect the local and network drives by searching for PE (Portable Executable) files with .exe, .scr, or .ocx extensions. The thread will then execute inside the infected process and the main thread of the application will get control. Therefore, the user will not easily notice any delays. When the virus can execute itself as a service process under the "FLC" name, other infected programs will try to insert the flcss.exe file, but will not create a new infection thread. W32.FunLove.4099 is the second virus that runs as a Service on Windows NT. WNT.RemEx.A (W32.RemoteExplorer) is very similar in its functions to W32.FunLove.4099, but W32.FunLove.4099 can work on both Windows 95/98 and Windows NT. Therefore, it is considered more successful than WNT.RemEx.A (W32.RemoteExplorer). When the virus runs as a service it can spread on the local drives without anyone logged on the machine. That way the virus will be able to infect files that are normally not accessible after the log on (for example, the virus can infect explorer.exe on a Windows NT system). On Windows 95/98 machines, infected programs will copy flcss.exe to the hard disk and try to execute it as a regular process. If the process cannot be executed, the virus will try to execute the infection thread inside the infected process and executes the host program. This virus also attacks the Windows NT file security system. In order for the virus to attempt the attack, it needs administrative rights on a Windows NT Server or Windows NT Workstation during the initial infiltration. Once the Administrator or someone with the equivalent rights logs on, W32.FunLove.4099 has the opportunity to patch ntoskrnl. exe (the Windows NT kernel located in the WinNT\System32 directory). The virus modifies only 2 bytes in a security API called SeAccessCheck that is part of ntoskrnl.exe. Thus, W32.FunLove.4099 is able to give full access to all users to each file regardless of its protection, whenever the machine is booted with the modified kernel. This means that a Guest - who has the lowest possible rights on the system - will be able to read and modify all files, including files that are normally accessible only by the Administrator. This is a potential problem since the virus can spread everywhere it wants to regardless of the actual access restrictions on the particular machine. Furthermore, after the attack, no data can be considered protected from any user. Unfortunately, the consistency of ntoskrnl.exe is checked in only one place. The loader, ntldr, is supposed to check it when it loads ntoskrnl.exe into physical memory during machine boot-up. If the kernel gets corrupted, ntldr is supposed to stop loading ntoskrnl.exe and display an error message even before a "blue screen" appears. In order to avoid this particular problem W32.FunLove.4099 also patches ntldr, so that no error message will be displayed and Windows NT will boot just fine even if its checksum does not match with the original. Since no code checks the consistency of ntldr itself, the patched kernel will be loaded without notification to the user. Since ntldr is a hidden, system read-only file, W32.FunLove.4099 changes the attributes of it to "archive" before it attempts to patch it. The virus does not change the attribute of ntldr back to its original value after the patch. FunLove can also infect local and networks drives. It enumerates the mapped network drives and infects PE files on those machines. Additionally, the above described ntoskrnl.exe/ntldr patch is performed on the network drives. Whenever a machine maps the system drive of a Windows NT system with efficient rights, the virus modifies the kernel and the loader components over the network. The ntoskrnl.exe and ntldr patches are executed by a routine picked up from the Bolzano virus. In fact, more than fifty percent of the virus code shows similarities to the Bolzano virus. The virus does not infect files that begin with the following characters in their names: aler amon avp avp3 avpm f-pr navw scan smss ddhe dpla mpla These are names of anti-virus programs, as well as a few other applications. Removal: On Windows 9x systems: Update NAV Rescue Disk Set or Norton SystemWorks Rescue Disk Set Restart the computer using the Rescue Boot Disk Follow the onscreen instruction to scan the system using the Rescue Disk Delete the flcss.exe file that NAV detects as W32.Funlove.4099 Let NAV repair other files that NAV detects as infected with W32. Funlove.4099 On Windows NT systems: Click here to download a tool to disable W32.Funlove NT service, and to fix the ntoskrnl.exe and ntldr.exe system files. NOTE: Funlove does not infect Alpha machines running NT. There is no need to run the Funlove cleanup tool (cleanflc.exe) on Alpha machines running NT. The FLCSS.EXE viral program runs as a Win NT service; thus, it needs to be disabled before repairing other infected files. You need to replace ntoskrnl.exe and ntldr.exe system file. On both removal step above, you need to have administrator rights to the Win NT system. Write-up by: Peter Szor Tell a Friend about this Write-Up 【 在 radio (沧海一声笑) 的大作中提到: 】 : 救救我呀!我都重装3遍系统了. --
另外,funlove通过网络感染你的文件,瑞星对来自外部的操作防范能力是很弱的。建议使用kill98.