X

Duped by worm hoax, victims seek file fix

A hoax e-mail warning people that their PCs contained a virus fooled an untold number into deleting a beneficial Windows file--and now they're scrambling to get it back.

3 min read
A hoax e-mail warning people that their PCs might contain a virus tricked an untold number of people into deleting a beneficial Windows application--and now they're scrambling to get it back.

The e-mail, which was originally written in Portuguese and is circulating internationally, urges readers to wipe a Microsoft Windows utility called sulfnbk.exe off their hard disks.

The harmless file is on every PC that comes with Windows, and it helps computers recognize shorter versions of longer file names. Computer experts recommend that people who fell for the prank restore the file with a few simple steps, but sulfnbk.exe is not required for normal system operation.

Antivirus researchers at Symantec have published information on a special sulfnbk.exe site with details about how to retrieve the file. They have also listed the hoax on a site that updates computer users on new hoax viruses.

Bobbi Cassibo is one of many e-mail users who, paranoid about infecting her computer with a truly destructive virus, believed the hoax. She received the sham e-mail from her well-intentioned sister, who in turn received it from an Australian woman she befriended on an online cross-stitch site.

"I took it off for one reason, that being because it was there," Cassibo said of the sulfnbk.exe file. "But after I took it off, I was talking with a co-worker, and I decided to try and recover the file."

Year of the worm special report

Although neither Microsoft nor antivirus researchers at Symantec would speculate as to how many people received the e-mail and trashed the file, dozens of people sent e-mail to CNET News.com complaining that they got suckered. It's unclear if the e-mail was started as an ill-intentioned trick or was simply the result of confusion.

"Well, I believed the message because I have been bit by a virus before that came through e-mail," Jay Pastor wrote in an e-mail. Pastor received the warning from several of his good friends, who also deleted the file from their machines.

"Now they are in the same boat as me," Pastor lamented. "I would just like to get this thing fixed now so I don't worry about the PC breaking down."

The e-mail itself does not contain anything potentially harmful to computers. Because it doesn't contain a virus, it cannot be detected by virus-scanning software or junk e-mail filters. Several people who fell for the hoax said the fact that it came from concerned friends or colleagues--not an unknown spammer--gave it an air of legitimacy.

Antivirus experts said the phenomenon is testimony to the international community's increasing consciousness and fear of computer viruses. News reports of the particularly pernicious AnnaKournikova virus--which took the form of a worm attachment--spread around the world in a matter of hours, and computer users were on heightened alert for e-mails with a suspicious air.

It also exemplifies how quickly a single e-mail--be it harmless junk mail or an inconvenient prank--can spread.

"This is social engineering on a grand scale," said Symantec spokeswoman Lucy Bunker. "Whereas e-mail worms mass-mail themselves and cause destruction, this hoax message simply asks you to mass-mail it yourself and then delete the information on your computer. In essence, you're doing the work of a destructive virus yourself."

Vmyths.com, a Web site that debunks spurious virus warnings, said the confusion was heightened by the fact that e-mails were surfacing that contained a copy of the sulfnbk.exe file that was infected with a virus. But this virus, called W32.Magistr.24876@mm, is well known and easily removed with any good antivirus software.

Vmyths.com believes the new e-mail was begun by somebody who was forwarded a message by a colleague whose PC did actually have the Magistr worm. This person, suggests the site, searched for the sulfnbk.exe file, found it and deleted it (after discovering that antivirus software failed to recognize the file), and sent a warning to other users. The site calls this the "False Authority Syndrome."

Bunker said there are several easy clues to detect bogus virus warnings. "Anything that has lots of capital letters saying things like 'VIRUS WARNING' should be treated with skepticism," Bunker said. In addition, phrases warning that a supposed virus will absolutely destroy everything on a hard disk should be taken with a pinch of salt, as should those suggesting there is no known fix.

"Hoax e-mails also often attribute information to MSN, AOL, Microsoft, CNN to give them credibility," Bunker added, "but these companies don't usually issue virus warnings."

Staff writer Matt Loney contributed from London.