The most publicised viruses are not necessarily the most costly. W32/FunLove (also known as W32/Flcss) is a memory-resident Win32 virus that was discovered in November 1999. However, several large organisations in Hong Kong have been affected recently and, because it spreads via network shares, once it is established at a site it is difficult to get rid of - infected machines can re-infect machines across the network faster than technicians can clean them. Disconnecting everything from the network and reconnecting machines when they have been cleaned and verified is the simplest option. Obviously, this severely disrupts the organisation and will be unpopular with users, so accomplishing it requires power and authority. Compare this with the current biological virus situation - H5N1 and the chicken slaughter, which has support from the highest levels of government.
Additionally, disinfecting machines is not trivial because the virus is memory-resident. Detailed disinfection instructions are available:
- Instructions for disinfecting W32/Flcss (Sophos)
- W32/FunLove.4099 (McAfee)
- DOS FunLove.4099 Fix Tool (Symantec)
Finally, on NT systems, FunLove modifies the NT kernel (NTOSKRNL.EXE) and NT loader (NTLDR), disabling access control - all users can access all files. Therefore, these must be replaced from a clean source (backup or a Service Pack).
Altogether, this is a lot of work for technicians, and a lot of disruption for users. However, it is less likely to get in the news than a email worm outbreak for two reasons: Email worms are effectively self-publicising - all the contacts of the victim receive a copy, and most of their contacts, and so on, until a reporter notices and documents the infected companies. Conversely, it is easier to keep news of a FunLove outbreak inside a company. Secondly, FunLove spreads between organisations slowly, whereas email worms typically have a massive outbreak, and then almost disappear.