|
Win32.Funlove专页
一、病毒基本特性
二、病毒命名对照(以FF#6样本库 Win32.funlove.4070样本为例)
| 反病毒产品 |
命名 |
| AVP |
Win32.funlove.4070 |
| MCAFEE SCAN |
W32/funlove.dr |
| PANDA |
W32/FUNLOVE.4099.DR |
| CA |
WIN32/FUNLOVE |
| NAV |
W32.FunLove.4099.dr |
三、病毒详细信息英汉对照
| It is not a dangerous memory resident parasitic Win32 virus. It affects PE EXE files on local and network drives. Because of its network spreading ability the virus can infect the local network from one infected workstation, in case the network access permissions allow writing for this user. |
FUNLOVE是一个非危险(破坏)性的内存驻留的WIN32病毒,它感染本地驱动器和网络驱动器上的PE可执行文件,因为有网络传播能力,它可以一个感染的工作站为基地,通过对当前用户写授权的网络资源进行传播。 |
The virus contains the text strings:
~Fun Loving Criminal~ |
这个病毒中包含一个文本串," ~Fun Loving Criminal~" |
| When an infected file is run, the virus creates the FLCSS.EXE file in the Windows system directory, writes its "pure" code to there and runs this file. This virus "dropper"
(FLCSS.EXE file) has Win32 PE format and is executed by the virus as a hidden Windows application (under Win9x) or as a service (under WinNT), and the infection routine takes control. |
当一个感染的文件运行时,这个病毒在windows的SYSTEM目录下创造一个名为FLCSS.EXE的文件,写入病毒体本身,并运行之,这个病毒的拆离体(FLCSS.EXE),是一个WIN32的PE格式文件,这个文件在WIN9X系统下运行是一个隐含的进程,而在NT系统下运行是作为一个服务,并且传染例程取得控制权。 |
| In case an error occurred while creating the dropper file (when the virus is run from infected file) the virus runs the infection routine from its instance in the infected host file. The file searching and infection process is run in background as a "thread", and as a result the host program is executed with no "visible" delays. |
一个问题会发生在创建拆离体的过程中(当一个感染病毒的文件加载运行的过程中),这个病毒通过它感染的主机文件中执行感染例程。这个文件检索和感染的过程是后台运行作为一个“线程”,由此引发的结果是:主机上的程序运行会发生莫名其妙的延迟。 |
| The infection routine scans all local drives from C: till Z:, then looks for network resources, scans subdirectory trees there and infects PE files that have .OCX,
.SCR or .EXE name extension. While infecting a file the virus writes its code to the end of the file to last file section and patches its entry routine with
"JumpVirus" instruction. The virus checks file names and does not infect the files:
ALER*, AMON*, _AVP*, AVP3*, AVPM*, F-PR*, NAVW*, SCAN*, SMSS*, DDHE*, DPLA*,
MPLA*. |
这个感染的例程扫描所有本地驱动器从C:到Z:,然后检索所有网络资源,检索
目录树并感染PE文件,包括.OCX、.SCR和.EXE的文件。当感染一个文件的时候,
这个病毒把代码写入文件后面的最后一个文件扇区,然后调用他们通过常见的“JumpVirus”的指令跳转手法。
这个病毒感染时对文件名进行检测,下列这些文件名不被感染:
ALER*, AMON*, _AVP*, AVP3*, AVPM*, F-PR*, NAVW*, SCAN*, SMSS*, DDHE*, DPLA*,
MPLA*. (译者注:这些文件名可能是反病毒软件的文件,由于反病毒软件一般都有自身校验机制,感染后会报警)。 |
| The virus is related to the "Bolzano" virus family and patches the NTLDR and
WINNT\System32\ntoskrnl.exe files in similar way the "Bolzano" virus does. The patched files should be restored from a backup. |
这个病毒属于"Bolzano"病毒家族,并且其对NTLDR和WINNT\System32\ntoskrnl.exe文件进行修改的手法,与"Bolzano"病毒相差无几,被病毒改动的文件可以从备份恢复。 |
左方英文资料来自AVP病毒百科全书,本站翻译成中文。转载请注明。
四、特别补充
对本病毒的查杀,建议通过干净磁盘引导,采用DOS查查杀程序处理。我们从测试了以下三种产品的DOS版本MCAFEE、NAV、AVP,均可从干净DOS环境下彻底清除该病毒。
金山提供了一个WIN 9X/NT/2000下的清除软件killfunlove.zip
病毒观察疫情追踪由www.virusview.net独家策划。转载请注明出处
|
