Hoax virus says trash Windows file

The e-mail, which was originally written in Portuguese and was reported to be making the rounds in Brazil last month, has been translated to English and is circulating in the United Kingdom. Recipients are advised to delete a harmless Microsoft Windows utility called sulfnbk.exe from their hard disks.

Antivirus experts were quick to point out that the e-mail does not contain a worm and is being passed around by well-meaning people alarmed at its contents. As a result, it cannot be detected by virus-scanning software or junk email filters.

"This is social engineering on a grand scale," said Symantec spokeswoman Lucy Bunker. "Whereas e-mail worms mass-mail themselves and cause destruction, this hoax message simply asks you to mass-mail it yourself and then delete the information on your computer. In essence, you're doing the work of a destructive virus yourself."

The hoax message indicates that the virus is scheduled to trigger June 1, has been found on every PC in somebody's office, and is not detectable with virus software. In fact, the file is on every PC that has Windows installed and is not detected by antivirus software because it is not--and does not normally contain--a virus.

"The file that people are being asked to delete is a legitimate file that is part of the Windows operating system," Bunker said. "We are working with Microsoft to find out what people should do if they have deleted this file; it is a useful file and you shouldn't delete it."

Sulfnbk.exe is a Microsoft Windows utility that is used to restore long file names, according to Symantec, and deleting it could cause that feature to stop working properly.

Bunker said Symantec received a handful of enquiries about the e-mail message Tuesday and more today--probably triggered by the warning that the virus would activate June 1, she said. An earlier variant warned that the virus would activate May 25.

Experts believe the propagation of the sulfnbk.exe e-mail is caused mainly by confusion. Vmyths.com, a Web site that debunks spurious virus warnings, said the confusion may have been heightened by the fact that e-mails were surfacing that contained a copy of the sulfnbk.exe file that was infected with a virus. But this virus, called W32.Magistr.24876@mm, is well known and easily removed with any good antivirus software.

Vmyths.com believes the new e-mail was begun by somebody who was forwarded a message by a colleague whose PC did actually have the Magistr worm. This person, suggests the site, searched for the Sulfnbk.exe file, found and deleted it (after discovering that antivirus software failed to recognize the file), and sent a warning to other users. The site calls this the "False Authority Syndrome."

Symantec's Bunker said there are several easy clues to detect bogus virus warnings. "Anything that has lots of capital letters saying things like VIRUS WARNING should be treated with skepticism," Bunker said. In addition, phrases warning that a supposed virus will absolutely destroy everything on a hard disk should be taken with a pinch of salt, as should those suggesting there is no known fix.

"Hoax e-mails also often attribute information to MSN, AOL, Microsoft, CNN to give them credibility," Bunker added, "but these companies don't usually issue virus warnings."

The hoax e-mail begins as follows:
"URGENT. A VIRUS could be in your computer files now, laying dormant but will become active on June 1, 2001. FOLLOW DIRECTIONS BELOW TO CHECK IF YOU HAVE IT AND HOW TO REMOVE IT NOW.

"It was brought to my attention that this virus is in circulation via e-mail. I looked for it and to my surprise I found it on my computer as well as everyone else's in my office. Please follow the directions and remove it from yours TODAY!!!!!!!"

The e-mail then goes on to give a detailed list of instructions on how to delete the sulfbnk.exe file.

Staff writer Matt Loney reported from London.