Sulfnbk.exe Hoax

from the February 2002 Newsletter
by Jeremy Fairbrass

I thought it might be a good idea to re-run this article from the June 2001 newsletter, as it seems the old sulfnbk hoax is doing the rounds again, and I have received e-mail after e-mail from people who have followed the misadvice and deleted the file in question. It is not hard to be informed about viruses, and the Internet is all about information. It's right there at your fingertips!

www.symantec.com/avcenter/ - This link will tell you all about the latest viruses.
http://www.symantec.com/avcenter/vinfodb.html - This link presents you with an encyclopaedia and a search feature so you can look up information about viruses and hoaxes. - Ed

I'm writing this article to counter a particular virus HOAX that is circulating around the world this week. This hoax is the fastest spreading virus hoax I've ever seen, and already many people I know have fallen victim to its wrong and harmful instructions.

The wording of the hoax is included below, but basically the hoax tells the reader that a file on their hard drive, called SULFNBK.EXE, is actually a virus, and that they should delete this file before 1st June because the virus will activate itself on that date.

THIS IS NOT TRUE!!

There is indeed a file called SULFNBK.EXE on most computers - it's actually a legitimate Windows utility that is used to restore long filenames! (See http://support.microsoft.com/support/kb/articles/q190/4/18.asp for proof). The file is installed on your computer when Windows is installed. Like any other .EXE file, it can be infected by any virus that targets .EXE files, however the file itself is definitely not a virus, as this hoax claims it to be.

(Note, however, that according to Symantec's website, "the virus/worm W32.Magistr.24876@mm can arrive as an attachment named Sulfnbk.exe. The [legitimate] Sulfnbk.exe file used by Windows is located in the C:\Windows\Command folder. If the file is located in any other folder, or arrives as an attachment to a email message, then it is possible that the file is infected.")

If you read the hoax (below), you should spot several obvious signs that indicate it's a hoax. Firstly there is the encouragement to send the warning on to everyone in your address book. This way, the hoax is quickly propagated around the Internet, which results in panic or uncertainty amongst Internet users who don't know enough about hoaxes to realise that it is one. Secondly, the hoax tells us that McAfee and Norton can't detect the virus because it's still dormant. This isn't true - just because a virus is dormant and waiting for a particular date to release its payload, doesn't mean it can't be detected with antivirus software. This statement is simply another example of scare-mongering.

Hoaxes like these can actually do a lot of harm - they aren't harmless as some people might think. Forwarding them on causes panic and confusion, and can result in people following their instructions with negative results (as seen with this hoax), and can even result in a "boy who cries wolf" effect, whereby less-informed Internet users become de-sensitised by all the hoaxes and then ignore a REAL virus warning. Remember, most new Internet users have the mindset that "if I read it on the internet, it must be true". Sadly this is not the case. When receiving an email that claims to alert you to a new virus, look for tell-tale warning signs of a hoax, such as those mentioned in the previous paragraph. Also, look for URLs (links) to web pages at reputable antivirus sites, that back up the warning claim. A good virus warning should ALWAYS link to a website, eg. at Nortons or McAfee etc, to back up its claims. Lastly, if in doubt, check with a computer "geek" (such as myself) or your Internet Service Provider, or browse through a good antivirus website (eg. www.symantec.com/avcenter/) for information on the warning, to determine if it's real or a hoax. Most antivirus websites have info on hoaxes as well as legitimate viruses.

These links have more info and verify that the warning is only a hoax...
http://www.symantec.com/avcenter/venc/data/sulfnbk.exe.warning.html
http://vil.mcafee.com/dispVirus.asp?virus_k=99084
http://antivirus.about.com/compute/antivirus/library/weekly/aa051601a.htm
http://antivirus.about.com/compute/antivirus/library/hoaxes/blensulf.htm

Also: http://vmyths.com/hoax.cfm?id=257&page=3 - a good explanation of how this hoax may have started, and why forwarding such e-mails is so harmful!

Please feel free to forward this information on to those that have sent you the hoax!

----- CONTENTS OF HOAX -----
It was brought to my attention yesterday that a virus is in circulation via email. I looked for it and to my surprise I found it on mine... Please follow the directions and remove it from yours TODAY!!!!!!!

No Virus software can detect it. It will become active on June 1, 2001. It might be too late by then. It wipes out all files and folders on the hard drive. This virus travels through E-mail and migrates to the 'C:\windows\command' folder.

The bad part is: You need to contact everyone you have sent ANY E-mail to in the past few months. Many major companies have found this virus on their computers. Please help your friends !!!!!!!!

DO NOT RELY ON YOUR ANTI-VIRUS SOFTWARE. McAFEE and NORTON CANNOT DETECT IT BECAUSE IT DOES NOT BECOME A VIRUS UNTIL JUNE 1ST.

WHATEVER YOU DO, DO NOT OPEN THE FILE!!!

----- END OF CONTENTS OF HOAX -----

Here is how to get that file back on Windows 98 and 98 SE:
1. Go to Start --> Run
2. Type SFC and hit enter.
3. Click on "Extract one file from installation disk"
4. In the "Specify the system file you would like to restore" box, type C:\WINDOWS\COMMAND\SULFNBK.EXE and then click on "Start"
5. On the next screen, you'll see a "Restore from" box. Type in the path to your Windows CAB files (usually C:\WINDOWS\OPTIONS\CABS). If you can't find the CAB files on your computer, insert your Windows 98 CD and then type *\Win98, replacing * with the drive letter for your CD-ROM drive (for example, if your CD-ROM is your D drive, you would type D:\Win98).
6. Click the OK button.

Here is how to get that file back on Windows ME:
1. Go to Start --> Run.
2. Type MSCONFIG and hit enter.
3. Click on the "Extract File ..." button.
4. In the "Specify the system file you would like to restore" field, type C:\WINDOWS\COMMAND\SULFNBK.EXE and then click on "Start"
5. On the next screen, you'll see a "Restore from" box. Type in the path to your Windows CAB files (usually C:\WINDOWS\OPTIONS\CABS). If you can't find the CAB files on your computer, insert your Windows ME CD and then type *\WinME, replacing * with the drive letter for your CD-ROM drive (for example, if your CD-ROM is your D drive, you would type D:\WinME).
6. Click the OK button.