All,
I know this is an old virus that just keeps hanging around, but it is one we are having problems with here at my company. I did some research today and McAfee had this document about removing it from the corporate enterprise. I thought I would share it here, in case anyone else gets infected by it. Lenghthy, but helpful.
************************************************************
Removal of the FUNLOVE Virus in an Enterprise Environment
This document is intended to provide insight and understanding to the nature of this particular virus threat and to other worm activities using similar technologies to spread. Please contact your Enterprise Support Account Manager to further discuss this infection in your environment.
Further, this document is not intended to take the place of published virus information presently available at the AVERT VIL web site.
First discovered in November of 1999, the FUNLOVE virus continues to plague corporations throughout the United States and the world. For up to date on the virus characteristics, please visit:
An Overview of the Removal Process
When viruses typically strike, the natural tendency is to lay focus on the infected items, be they executables, Microsoft files or the like. In the case of FUNLOVE, the focus need not be pointed to the infected items provided certain precautions are made. This will become clearer later.
Instead, while we will take all necessary steps to clean the infected files, the emphasis initially will be on the identification and containment of rogue machines who are the attackers. It is recommended to start the eradication process at the Server level first.
Cleaning is achieved in a series of Phases..
While a machine may have infected files resident, that machine may not also be a host and hence an attacker. In order for a machine to become a host, these conditions must be met:
1. An infected executable is launched
2. The folder FLCSS.exe does not exist under the appropriate directory.
If the infected executable is never launched, the virus will not activate to leave its dropper.
If the folder FLCSS.exe exists, the dropper will not be written to disk.
Phase I: Inoculation/Prevention
For the remainder of this document, when the flcss.exe file or folder is referred to, it is implied that this folder is exists in c:\windows\system on Windows 9.x machines and c:\winnt\system32 for Windows NT
To prevent machines from becoming hosts BEFORE an infected executable is launched, create the folder FLCSS.EXE in C:\WINNT\SYSTEM32 for Windows NT and C:\WINDOWS\SYSTEM for Windows 9.x.
You can accomplish the deployment via login script, .BAT file attachments via e-mail or deployment software. Note: deployment software (like SMS agent software or SuperDAT) may disable your virus software leaving the computer temporarily open to infection. Deployment software featuring options like hardware inventory can pull an infected .exe file from the workstation. This could infect other workstations using the software from that point forward. Because of this, care should be taken in using such software.
Phase II: Identification
Network traffic monitors, auditing for NT or system logs can be used to identify the host machines. Once the offending machines are identified, it is now necessary to take corrective action to erase the virus.
Phase III: Containment
Any machine on the network will exist in either one of two states:
1) File FLCSS.exe does not exist on the machine, due to the fact that infected files were never launched. This machine is not a host to this virus, but still may be a carrier. On these machines clean the infected files. This machine will not become a host if the Flcss.exe folder exists in the appropriate directory.
2) File FLCSS.exe exists on the machine, an infected executable has been launched. This machine is a host and a carrier to the virus. Unfortunately, the second state is the most common. In this stage, the FLC service is launched. Due to the nature in which this service is loaded, the FLC service cannot be stopped by standard methods such as NET STOP commands or via the GUI.
There are ways to remove the FLCSS.exe so as to disable this method of infection, but such actions may cause the system to become unstable as NTLDR and NTKRNL.exe have been modified.
Phase IV: Containment/Eradication
Steps to remove FUNLOVE differ between FAT and NTFS partitioned machines.
FAT-partitioned machines: Follow the instructions available at
NTFS-partitioned machines: Follow the instructions available at with the following caveats and further considerations.
Preparation (The steps in this section create a known-clean source for the antivirus files in a manner which protects these files from infection. If such a machine already exists, it can be modified for such use instead.)
1. Isolate and load a machine with NT/2000 Workstation configured for connection to your network but physically disconnected from the network.
2. Remove all shares including administrative and hidden shares.
3. Now connect to the network, but log on to the local machine only. Note: You must not log on to a domain or allow any scripts to run on this machine or you run the risk of infecting the machine.
4. Download version 4.5 of VirusScan and Netshield together with the latest SuperDAT from the NAI download pages.
5. From a command line, extract the SuperDAT using the /e switch. Example: sdat4086 /e
6. Share the directory containing VirusScan/Netshield and the extracted SuperDAT's, with "Read Only" permissions.
Cleaning an infected workstation.
1. From the infected machine connect to the workstation share that was created in the above steps.
2. Copy the contents of the share into a temporary directory on the infected machine. This will include the installation package (VSCI45L.zip), SUPERDAT executable and the extracted superdat elements.
3. In this step you will be removing the dropper file and the process or service. Three option steps are provided, each with a varying degree of success. It is suggested that you proceed with Option A and move through until Option C. If you still are not able to remove the file/service, then contact your Enterprise Support Account Manager.
a) From the folder created in step 2, run SCAN.EXE (from a command prompt) against the file FLCSS.EXE, located in the %winroot%\system32 directory with the switches: /clean /nodda.
Example: SCAN C:\WINNT\SYSTEM32\FLCSS.EXE /clean /nodda
b) Create a batch file to remove the FLC registry key, delete the file flcss.exe, and create the folder FLCSS.EXE. Because the file flcss.exe may be in use/locked, and therefore unable to be deleted, it will be necessary to include the batch file in the RunOnce registry key so that it runs at startup. If this is the case, scan the entire hard drive using scan.exe c: /clean /nodda before rebooting. Before rebooting delete the registry key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FLC] or null it out using a batch file. This will prevent the service from starting at bootup.
Attached here is a sample script containing these cleaning instructions. This is provided to serve as an example only.
c) From the NT Resource kit, run KILL against the process. Manually delete FLCSS.exe.
5. Once the file has been removed/cleaned run SCAN.EXE on the rest of the machine using the switches /adl /clean /nodda /sub
Example: SCAN /adl /clean /nodda /sub
Then insure that the folder FLCSS.exe exists in the proper sub-directory.
6. After Scan has completed, turn off machine. Do not do a "Shutdown" or "Reboot," This will ensure that the virus will not be loaded in memory upon restarting the machine.
7. Power on the machine and uninstall any version of VirusScan that may currently be on the machine.
8. Extract VirusScan v4.5 from the Zip file.
9. Run the VirusScan v4.5 setup program and install VirusScan v4.5.
10. After VirusScan v4.5 is loaded and running on the machine, execute the SuperDAT file.
11. Make sure that the scan engine and DAT files have been updated.
12. To ensure that the machine is still virus free run an On-Demand scan or a Command Line scan on the machine scanning all local hard drives.
Once the machine is verified to be cleaned it will be safe to reconnect the machine to the network. Note: It is highly recommended that inbound file scanning is selected in the system scan properties before reconnecting the machine to the network.
Additional Comments
An important consideration for those who quarantine infected items:
If you have VirusScan or Netshield configured to quarantine infected items, these executables will be in the quarantine folder with the .VIR extension. Once infected files are cleaned, you will need to rename these files back to their original names and then place them in the appropriate folder.
If the OAS is configured to quarantine infected files it is recommended to set the action to Clean Files Automatically
If you are using VirusScan/NetShield v4.0.x you will need to make sure that the extensions OCX and SCR are added to the Program File Extension list and that there are no entries other than Pagefile.sys in the Exclusion list.
Terry M. Hoey
th3856@txmail.sbc.com
While I don't mind e-mail messages, please post all questions in these forums for the benefit of all members.
I know this is an old virus that just keeps hanging around, but it is one we are having problems with here at my company. I did some research today and McAfee had this document about removing it from the corporate enterprise. I thought I would share it here, in case anyone else gets infected by it. Lenghthy, but helpful.
************************************************************
Removal of the FUNLOVE Virus in an Enterprise Environment
This document is intended to provide insight and understanding to the nature of this particular virus threat and to other worm activities using similar technologies to spread. Please contact your Enterprise Support Account Manager to further discuss this infection in your environment.
Further, this document is not intended to take the place of published virus information presently available at the AVERT VIL web site.
First discovered in November of 1999, the FUNLOVE virus continues to plague corporations throughout the United States and the world. For up to date on the virus characteristics, please visit:
An Overview of the Removal Process
When viruses typically strike, the natural tendency is to lay focus on the infected items, be they executables, Microsoft files or the like. In the case of FUNLOVE, the focus need not be pointed to the infected items provided certain precautions are made. This will become clearer later.
Instead, while we will take all necessary steps to clean the infected files, the emphasis initially will be on the identification and containment of rogue machines who are the attackers. It is recommended to start the eradication process at the Server level first.
Cleaning is achieved in a series of Phases..
While a machine may have infected files resident, that machine may not also be a host and hence an attacker. In order for a machine to become a host, these conditions must be met:
1. An infected executable is launched
2. The folder FLCSS.exe does not exist under the appropriate directory.
If the infected executable is never launched, the virus will not activate to leave its dropper.
If the folder FLCSS.exe exists, the dropper will not be written to disk.
Phase I: Inoculation/Prevention
For the remainder of this document, when the flcss.exe file or folder is referred to, it is implied that this folder is exists in c:\windows\system on Windows 9.x machines and c:\winnt\system32 for Windows NT
To prevent machines from becoming hosts BEFORE an infected executable is launched, create the folder FLCSS.EXE in C:\WINNT\SYSTEM32 for Windows NT and C:\WINDOWS\SYSTEM for Windows 9.x.
You can accomplish the deployment via login script, .BAT file attachments via e-mail or deployment software. Note: deployment software (like SMS agent software or SuperDAT) may disable your virus software leaving the computer temporarily open to infection. Deployment software featuring options like hardware inventory can pull an infected .exe file from the workstation. This could infect other workstations using the software from that point forward. Because of this, care should be taken in using such software.
Phase II: Identification
Network traffic monitors, auditing for NT or system logs can be used to identify the host machines. Once the offending machines are identified, it is now necessary to take corrective action to erase the virus.
Phase III: Containment
Any machine on the network will exist in either one of two states:
1) File FLCSS.exe does not exist on the machine, due to the fact that infected files were never launched. This machine is not a host to this virus, but still may be a carrier. On these machines clean the infected files. This machine will not become a host if the Flcss.exe folder exists in the appropriate directory.
2) File FLCSS.exe exists on the machine, an infected executable has been launched. This machine is a host and a carrier to the virus. Unfortunately, the second state is the most common. In this stage, the FLC service is launched. Due to the nature in which this service is loaded, the FLC service cannot be stopped by standard methods such as NET STOP commands or via the GUI.
There are ways to remove the FLCSS.exe so as to disable this method of infection, but such actions may cause the system to become unstable as NTLDR and NTKRNL.exe have been modified.
Phase IV: Containment/Eradication
Steps to remove FUNLOVE differ between FAT and NTFS partitioned machines.
FAT-partitioned machines: Follow the instructions available at
NTFS-partitioned machines: Follow the instructions available at with the following caveats and further considerations.
Preparation (The steps in this section create a known-clean source for the antivirus files in a manner which protects these files from infection. If such a machine already exists, it can be modified for such use instead.)
1. Isolate and load a machine with NT/2000 Workstation configured for connection to your network but physically disconnected from the network.
2. Remove all shares including administrative and hidden shares.
3. Now connect to the network, but log on to the local machine only. Note: You must not log on to a domain or allow any scripts to run on this machine or you run the risk of infecting the machine.
4. Download version 4.5 of VirusScan and Netshield together with the latest SuperDAT from the NAI download pages.
5. From a command line, extract the SuperDAT using the /e switch. Example: sdat4086 /e
6. Share the directory containing VirusScan/Netshield and the extracted SuperDAT's, with "Read Only" permissions.
Cleaning an infected workstation.
1. From the infected machine connect to the workstation share that was created in the above steps.
2. Copy the contents of the share into a temporary directory on the infected machine. This will include the installation package (VSCI45L.zip), SUPERDAT executable and the extracted superdat elements.
3. In this step you will be removing the dropper file and the process or service. Three option steps are provided, each with a varying degree of success. It is suggested that you proceed with Option A and move through until Option C. If you still are not able to remove the file/service, then contact your Enterprise Support Account Manager.
a) From the folder created in step 2, run SCAN.EXE (from a command prompt) against the file FLCSS.EXE, located in the %winroot%\system32 directory with the switches: /clean /nodda.
Example: SCAN C:\WINNT\SYSTEM32\FLCSS.EXE /clean /nodda
b) Create a batch file to remove the FLC registry key, delete the file flcss.exe, and create the folder FLCSS.EXE. Because the file flcss.exe may be in use/locked, and therefore unable to be deleted, it will be necessary to include the batch file in the RunOnce registry key so that it runs at startup. If this is the case, scan the entire hard drive using scan.exe c: /clean /nodda before rebooting. Before rebooting delete the registry key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FLC] or null it out using a batch file. This will prevent the service from starting at bootup.
Attached here is a sample script containing these cleaning instructions. This is provided to serve as an example only.
c) From the NT Resource kit, run KILL against the process. Manually delete FLCSS.exe.
5. Once the file has been removed/cleaned run SCAN.EXE on the rest of the machine using the switches /adl /clean /nodda /sub
Example: SCAN /adl /clean /nodda /sub
Then insure that the folder FLCSS.exe exists in the proper sub-directory.
6. After Scan has completed, turn off machine. Do not do a "Shutdown" or "Reboot," This will ensure that the virus will not be loaded in memory upon restarting the machine.
7. Power on the machine and uninstall any version of VirusScan that may currently be on the machine.
8. Extract VirusScan v4.5 from the Zip file.
9. Run the VirusScan v4.5 setup program and install VirusScan v4.5.
10. After VirusScan v4.5 is loaded and running on the machine, execute the SuperDAT file.
11. Make sure that the scan engine and DAT files have been updated.
12. To ensure that the machine is still virus free run an On-Demand scan or a Command Line scan on the machine scanning all local hard drives.
Once the machine is verified to be cleaned it will be safe to reconnect the machine to the network. Note: It is highly recommended that inbound file scanning is selected in the system scan properties before reconnecting the machine to the network.
Additional Comments
An important consideration for those who quarantine infected items:
If you have VirusScan or Netshield configured to quarantine infected items, these executables will be in the quarantine folder with the .VIR extension. Once infected files are cleaned, you will need to rename these files back to their original names and then place them in the appropriate folder.
If the OAS is configured to quarantine infected files it is recommended to set the action to Clean Files Automatically
If you are using VirusScan/NetShield v4.0.x you will need to make sure that the extensions OCX and SCR are added to the Program File Extension list and that there are no entries other than Pagefile.sys in the Exclusion list.
Terry M. Hoey
th3856@txmail.sbc.com
While I don't mind e-mail messages, please post all questions in these forums for the benefit of all members.