R:991117/0204Z @:NL3DAV.ZH.NLD.EU #:29477 [Leiderdorp] FBB7.00g23
R:991116/2340Z @:NL3ONB.ZH.NLD.EU #:15062 [ZH Main FWD Den Haag] $:54207_LW1BBS
R:991116/2231Z @:NL3IPR.IPR.NLD.EU #:9712 [IPR] FBB7.00g23 $:54207_LW1BBS
R:991116/0558Z @:SK1BBS.FRL.NLD.EU #:42832 [Sneek/Snits] FBB7.00g
R:991115/0805Z @:LW1BBS.FRL.NLD.EU #:54207 [Leeuwarden] FBB7.00e $:54207_LW1BBS

From: NL1DDL@LW1BBS.FRL.NLD.EU
To  : VIRUS@NLD

W32/FunLove.4099 is a new virus. AVERT has assigned it a MEDIUM risk assessment.
W32/FunLove.4099 is a parasitic
Win32 PE file infector that works on both Win9x and WinNT 4.0.
It infects .EXE, .SCR and .OCX files.
When the virus is first run,
it drops a file called FLCSS.EXE into the %SYSTEM% folder.
The virus then directly infects all .EXE, .SCR, and .OCX files 
in the folders Program Files
and WINDOWS/WINNT, including any sub-folders.
Because the default Windows shell Explorer.exe is kept in here,
the virus is re-executed whenever the system is restarted.
The virus uses a routine lifted from the W32/Bolzano virus to patch the NT files
NTOSKRNL.EXE and NTLDR.
This enables the virus to have full access to the system 
after the next system reboot.
Periodically, the virus scans any network shares with write access,
and infects any EXE, SCR or OCX files on the shared network drives.
The virus is not encrypted or polymorphic.
Infected files have a copy of the FLCSS.EXE file added to the end 
of the last PE section,
and the length of the infected files increases by 4099 bytes.
When executed under DOS, the file FLCSS.EXE displays the message
~Fun Loving Criminal~ and then tries to reset the machine 
in order to load Windows.