The SULFNBK.EXE Virus Email Warning Is A Hoax, But....

Last significant update: 29 May, 2001

This information can be freely reproduced in any medium, as long as the information is unmodified.

Thanks to Keith Cedarleaf for first bringing this to our attention on 27 May, 2001.

Notes:

• While this particular warning is a hoax, there IS a virus that spreads infected SULFNBK.EXE files -- as well as others. The "warning", however, contains errors of fact, and should be ignored.

• The original hoax was in Spanish and Portugeuse; there is a Dutch version as well, and perhaps others. The main part of the English version presented here would seem to be a direct translation of the original(s).

On 27 May, 2001, a correspondent asked us about the following:

Subject: Fw: I found this virus on my computer

I was shocked, I found this virus in my computer also 

Actually, no: you found a file of that name. Unfortunately, telling whether a file is infected with a virus by looking at its name is about as helpful as telling the doctor your name, and asking if you are sick.

The proper way to tell if a file is infected is to check it with a top quality, up-to-date virus scanner.

& I never open an attachment that I do not know who its from so check your 
computer as it comes in on an e-mail.

Roberta

Actually, in this case, the file probably always has been there, and is not a virus. But perhaps not; more on this below.

----- Original Message -----
From: Joe [snip]
To: Undisclosed-Recipient:
Sent: Saturday, May 26, 2001 8:34 PM
Subject: Fw: I found this virus on my computer


I too found this on my computer like the person who forwarded it to me.
Joe

Like "Roberta", "Joe" was probably misled as well. "Hey everyone! If you have a file named WIN.COM on your computer, it might be a virus !!!" Never mind the fact that a file of that name has been on every Windows system since forever....

I received this virus warning Saturday morning, May 26. I followed the
instructions and sure enough, my computer was infected. I've got
anti-virus software and it did not pick it up!

The file was there because it's a part of Windows; the antivirus software didn't find a virus because it wasn't infected!

Please read the following carefully.

URGENT.  A VIRUS could be in your computer files now, dormant but
will become active on June 1.  

While it certainly is possible that there is a virus on someone's machine, it almost certainly isn't dormant. Viruses can't do that. Either they are active, or they are not; they can't hibernate.

FOLLOW DIRECTIONS BELOW TO CHECK IF YOU HAVE IT AND TO REMOVE IT NOW.

Don't bother. Instead, follow our directions, and protect yourself against many nasties instead of just one.

It was brought to my attention yesterday that a virus is in circulation
via email. I looked for it and to my surprise I found it on mine. ..

Sigh. Another person who probably found an uninfected SULFNBK.EXE file....

Please follow the directions and remove it from yours TODAY!!!!!!!

No Virus software can detect it.  

Then how were YOU able to tell that it was a virus?

For the record, there is no such thing as an undetectable virus. Viruses have to make changes; once the change is found, the virus loses. Of course, some viruses may not have been detected YET, but as soon as an announcement of a real virus appears, rest assured that the antivirus companies already have a fix for it, or will in a matter of hours.

It will become active on June 1, 2001.
It might be too late by then. It wipes out all files and folders on
the hard drive. This virus travels thru E-mail and migrates to the
'C:\windows\command' folder.  

This is where things start to get tricky....

To find it and get rid of it off of
your computer, do the  following.

Go to the "START" button.
Go to "FIND" or "SEARCH"
Go to "FILES & FOLDERS"
Make sure the find box is searching the "C:" drive.
Type in;   SULFNBK.EXE
Begin search.

If it finds it, 

If it's a Win98 machine, it almost surely will find this file....

highlight it.
Go to 'File'  and delete it.

While most people won't need this file, and in most cases it won't be infected, let's suppose for the sake of argument that it IS infected. Removing this one file will not remove the virus. Only one infected file.

lose the find Dialog box
Open the Recycle Bin
Find the file and delete it from the Recycle bin
You should be safe.

No.

Either you were safe before, or you were infected and you still are, albeit with one fewer infected file than before. But since you've just deleted the file, you can't disinfect it....

Ok, it's time to look at the facts:

1. SULFNBK.EXE is a Win98 utility that backs up Long File Names (LFNBK, get it?) [Back in the Old Days of DOS, files were limited to names with 8 or fewer characters. This made for cryptic file names like, well, "SULFNBK" instead of easier to remember ones like "Netscape Navigator"]

2. It turns out that there is a virus that:
   • looks in the Windows folder and its subdirectories for a file to infect

   • That file must be in "PE" (Portable Executable) format, and no larger than 132 KB.

     [SULFNBK.EXE, at 43 KB, is a file that meets these conditions -- one of 135 such files on my bare-bones Win98 system. Moreover, SULFNBK.EXE has an "odd" icon and name, which makes it more noticeable than some of those other 134 candidate files]

   • the virus mails out infected files.

3. In fact, I've had plenty of reports of a file of this very name being sent out in email, infected by a virus.

The bad part is: You need to contact everyone you have sent ANY
E-mail to in the past few months. Many major companies have found this
virus on their computers. Please help your friends !!!!!!!!

If those companies kept their antivirus software up to date, they'd have no problem with this particular thing.

DO NOT RELY ON YOUR ANTI-VIRUS SOFTWARE. McAFEE and NORTON CANNOT
DETECT IT BECAUSE IT DOES NOT BECOME A VIRUS UNTIL JUNE 1ST.

Nonsense:

1. So how do YOU, pray tell, know it is a virus?

2. McAfee and Norton definitely do detect W32.Magistr@MM; many other products do as well.

WHATEVER YOU DO, DO NOT OPEN THE FILE!!!

Ok advice, I suppose -- but the message, however, is bogus: obviously, this file is SUPPOSED to be on Win98 systems. Besides, it would be a lot more helpful to say:

1. NEVER ACCEPT UNSOLICITED ATTACHMENTS, even from those you know and trust.

2. Get top quality antivirus software, install it, and USE it.

3. Keep said software updated, preferably at least once a week.

4. Avoid crappy emailers that allow active content, like the Microsoft Outlook variants. Otherwise, you WILL get bitten by junk like this.

Bottom line:

   A. If you Practice Safe Hex, ignore the message.

   B. If you don't, *start* practicing it, NOW. But still ignore the message.

Please do not forward this -- or any other hoax -- to all your friends. Even ones with partial truths like this one.

Instead, you should reply to the sender -- and as far back up the email chain as you have energy -- informing the originators that this is a hoax. For this particular hoax, I suggest that you provide a pointer to this URL (http://www.umich.edu/~virus-busters/hoaxes/sulfnbk.html)
For virus or hoax info, please see our main page (http://www.umich.edu/~virus-busters/) or go to another reputable site, like The Urban Legends Reference Pages (leaving our site).

   -BPB