W32.FunLove.4099 Virus Compromises Server Security (287664)

MORE INFORMATION

The W32.FunLove.4099 virus infects a computer when a user runs a program that is infected with the virus. If an administrative user runs an infected program, the virus immediately gains access to that computer and attempts to install itself as a service on the computer.

For the W32.FunLove.4099 virus to succeed in the attack, it needs administrative rights on a computer that is running Windows NT Server or Windows NT Workstation during the initial infiltration, which occurs when an infected program is ran by an administrative user on the computer. After the administrator or someone with equivalent rights logs on, the W32.FunLove.4099 virus has the opportunity to patch the Ntoskrnl.exe file (this is the Windows NT kernel file that is located in the Winnt\System32 folder).

The virus modifies two bytes in a security function named SeAccessCheck that is part of Ntoskrnl.exe. Therefore, the virus can give full access to all users for every file, regardless of the file's protection, when the computer is booted with the modified kernel. This means that a guest can obtain administrative access to files on the computer. This poses a security risk because the virus can spread, regardless of the actual access restrictions on the particular computer.

After the virus has infected the computer, no data can be considered protected from any user until after the virus has been removed from the computer.

Virus Removal

For information about this virus and instructions about removing it, visit the following Symantec web site: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.