Threat Descriptons



Category :


Type :


Aliases :



This virus is multi-platform and polymorphic infector affecting both DOS and Win32 files. It activates by changing the Windows wallpaper.

Win32.Libertine was named after these text strings in its code:

[Win32.Libertine v1.07b] Copyright 1998-xxxx by [NeverLoved] 		


Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The virus can be found in three different forms:

  • infected Win32 PE files
  • infected DOS COM files
  • Win32 PE dropper (31672 bytes pure virus code)

Because of bugs the infected COM and EXE files cannot run under Windows NT, they are terminated with standard NT or DrWatson error message.

While infecting both Win32 and DOS files the virus writes its complete 32Kb code to the end of files and modifies file headers to pass control to the virus routine. The addresses of entry routines are different in all three cases of infection. The virus in both infected Win32 and DOS programs when takes control searches for Win32 dropper (the C:\MYLENE.EXE file), executes it and returns control to the host program. If there are no dropper in root directory on the C: drive, the virus first creates and then executes it.

These dropper activation routines are quite short in infected files. In case of DOS COM files it is just about 200-bytes simply create-write-close-run routine. In case of Win32 files it is more sophisticated, but also quite silly and short.

So the virus in infected files just creates and runs dropper - no more, and all infection and payload virus functions falls on the Win32 virus dropper. The virus also disables the AVPI anti-virus program.

Before calling infection routines the virus calls the trigger routine. This routine is executed with probability 1/8 depending on the system time counter and changes the Windows background picture (WallPaper) to a picture of a French female singer Mylene Farmer.

More Support


Ask questions in our Community .

User Guides

Check the user guide for instructions.

Contact Support

Chat with or call an expert.

Submit a Sample

Submit a file or URL for analysis.