McAfee AVERT - A Division of NAI
Cleaning W32/Funlove.4099 on WinNT
NTFS |
Cleaning this virus requires using either VirusScan 4.5 SCAN.EXE, or BOOTSCAN.EXE with a minimum engine of v4.0.70 - . Using a clean system, extract this update and copy over existing emergency boot disk files.
On WinNT FAT systems, this virus can be cleaned off any hard drives using an emergency disk made from a known clean system.
The cleaned system must remain disconnected from any network until all the remaining systems have been scanned and cleaned. You will need to boot from a clean floppy with the emergency repair product on each system, including Microsoft servers.
The virus in any infected system will infect other systems on the same network that "share" disk space. Additionally, it is memory resident and will re-infect all systems that share disk space with it as fast as you clean them, if connected to the network during or after cleaning.
Preparation
These steps are directed towards networked
environments. The basis of these instructions are to work from a point of
origin and distribute a cleaning method to all infected systems via a
share. The point of origin is a fresh, disconnected from the network,
Windows NT workstation or server.
1. Image or install a fresh Windows NT workstation which is also not
connected to the network. Configure this system to connect to the
network.
2. Remove all shares, including administrative shares.
3.
Reboot if necessary and connect to the network, however do not log into a
domain or allow any scripts to run on this machine.
4. Create a download
folder on this machine and then download VirusScan v4.5 and the current
SUPERDAT update into this folder.
5. In command line mode, run the
SUPERDAT file with the /e parameter to extract the files to the same
folder - the object is to create a new .zip file with the contents of the
SUPERDAT file.
6. Zip the extracted contents into a new .zip file and
delete the original SDAT4xxx.exe file. Delete the extracted files as well.
7. Share this folder with "read-only" permissions to everyone.
Cleaning a system
1. From an infected system, connect to the
workstation share referenced in the above steps.
2. Copy the contents
of the share into a temporary directory on the infected machine.
3.
Disconnect the infected machine from the network. (unplug the network
cable) If this is not done the machine will not get cleaned!
4. From
the folder created in step 2, run Scan.exe (from a command prompt) against
the file flcss.exe, located in the %windir%\system32 directory with the
switches: /clean /nodda.
Example: scan c:\winnt\system32\flcss.exe /clean /nodda
5. Once the file has been removed/cleaned (Use Task-manager to verify that the flcss.exe process is no longer running) run Scan on the rest of the hard drive using the switches /clean /nodda /sub
Example: scan c: /clean /nodda /sub
6. After Scan.exe has completed the scan, turn off machine. This will
ensure that the virus will not be loaded in memory upon restarting the
machine. Note: Do not do a "Shutdown" or "Reboot".
7. Power on the
machine and uninstall any version of VirusScan that may currently be on
the machine.
8. Extract VirusScan v4.5 from the Zip file into another
directory.
9. Extract the SuperDAT file from the zip file located in
the temporary directory in step 2.
10. Run the VirusScan v4.5 setup
program and install VirusScan v4.5.
11. After VirusScan v4.5 is loaded
and running on the machine, execute the SuperDAT file.
12. Make sure
that the scan engine and DAT files have been updated.
13. To ensure
that the machine is still virus free run an On-Demand scan on the machine
scanning all local hard drives.
14. Once the machine is verified to be
cleaned it will be safe to reconnect the machine to the network.
Note: It is highly recommended that inbound and outbound file scanning
is selected in the system scan properties before reconnecting the machine
to the network.