SULFNBK.EXE Warning
| Reported on: April 17,
2001 |
| Last Updated on: December 19, 2001 at
07:01:06 PM PST |
Symantec
Security Response encourages you to ignore any messages regarding this hoax. It
is harmless and is intended only to cause unwarranted concern.
Type: Hoax
Description:
The following hoax email was first reported in
Brazil, and the original email was in Portuguese. Other language versions are in
circulation. Currently, the English language versions are most
common.
CAUTIONS:
- This particular email message is a hoax. The file that is mentioned in the
hoax, however, Sulfnbk.exe, is a Microsoft Windows utility that is used to
restore long file names, and like any .exe file, it can be infected by a virus
that targets .exe files.
- The virus/worm W32.Magistr.24876@mm can arrive as an attachment
named Sulfnbk.exe. The Sulfnbk.exe file used by Windows is located in the
C:\Windows\Command folder. If the file is located in any other folder, or
arrives as an attachment to a email message, then it is possible that the file
is infected. In this case, if a scan with the latest virus definitions and
with NAV set to scan all files does not detect the file as being infected,
quarantine and submit the file to SARC for analysis by following the
instructions in the document How to submit a file to SARC using Scan and Deliver.
- If you have deleted the Sulfnbk.exe file from the C:\Windows\Command
folder and want to know how to restore the file, see the How to restore the
Sulfnbk.exe file section at the end of this document.
English versions
Version 1
This is very real,
and I may have passed it on to you. Check it out as below right now. Your drive
may crash!!
"I had a virus which apparently attaches itself to everyone in my
address book. I deleted it successfully. you may have it as well. Follow these
instructions to see if you have it. It transfers to whomever is in your address
book. It lies dormant for 14 days, then kills your hard drive. If you've got it
send these instructions to everyone in you address book. Otherwise, it may be
sent back to you by somebody else.
1. go to start-then to "find or search" 2.
in the "search for files or folders" type in sulfnbk.exe - this is the name of
the virus. 3. in the "look in" make sure you're searching drive C
4. hit
"search" button ))or find_
5. if this file shows up (it's an ugly blackish
icon that will have the name sulfnbk.exe) DON'T OPEN IT
6. right click on the
file - go down to delete and left click
7. It will ask if you want to send it
to the recycle bin - yes
8. go to your desktop (where all your icons are) and
double-click on the recycle bin
9. right click on sulfnbk.exe and delete
again or just empty the recycle bin
IF YOU FIND THIS.....SEND IT TO EVERYONE
IN YOUR ADDRESS BOOK, BECAUSE THAT'S HOW IT IS TRANSFERRED.
Version
2
Do you believe that a friend of mine sent me an alert and the procedure
that we have to follow for the possible infection of SULFNBK.EXE. And I had
checked, just to make sure. An then... the file was there, hidden even of McAfee
and Norton, maybe waiting something to start work.
Well, see bellow the
procedure that I followed step by step, and I found the file:
1.
Start/Find Folders. Type the file name: SULFNBK.EXE
2. If it find, open
Windows Explorer, browse into the folder where the file is and delete it. Do not
click with left button on the file and do not open it.
3. Just delete
it
4. Mine was on Windows/Command
5. The virus from the person who gave
the alert was on Windows/Config
Yes, Norton and McAfee do not detect
it.
We do not know if it makes some damage on the machine, but I think that
anybody will not want to test it to know, will it?
Folks, this is not fun, I
deleted it from my computer.
And my definitions are updated.
Do the same,
ok?
Version 3
This one has additional text stating that the
virus will activate on June 1st.
It was brought to my attention
yesterday that a virus is in circulation via email. I looked for
it and to my surprise I found it on mine. ..
Please follow the
directions and remove it from yours TODAY!!!!!!!
No Virus software can
detect it. It will become active on June 1, 2001.
It might be
too late by then. It wipes out all files and folders
on
the hard drive. This virus travels thru E-mail and migrates to
the
'C:\windows\command' folder.
The bad part is: You need
to contact everyone you have sent ANY
E-mail to in the past
few months. Many major companies have found this virus
on
their computers. Please help your friends !!!!!!!!
DO NOT RELY
ON YOUR ANTI-VIRUS SOFTWARE. McAFEE and NORTON CANNOT
DETECT IT BECAUSE IT
DOES NOT BECOME A VIRUS UNTIL JUNE 1ST.
WHATEVER YOU DO, DO NOT OPEN THE
FILE!!!
Danish
version
Virusen er programmeret til at aktivere sig på et
senere tidspunkt, derfor vil den ikke blive opdaget af et standard
virusbeskyttende program, såsom Mcafee eller Norton. Ingen ved, hvor længe den
har været i omløb - muligvis i flere måneder. Når den aktiverer sig vil den
slette alle filer og dokumenter på jeres harddisk. Den spreder sig via e-mail og
placerer sig i C.WINDOWS/COMMAND.
For at finde den og slette den skal I
gøre følgende:
1. Klik på start
2. Vælg Søg efter
3. Vælg filer eller
mapper
4. Gå til Søg alle filer og vælg lokale hardiske - i de
fleste
tilfælde er det C:.
5. I feltet Navn skrives SULFNBK.EXE
6. Hvis
filen findes, marker den, men ÅBN DEN IKKE !!!!!!!!!
7. Højreklik på filen og
vælg SLET
8. Luk dialogboksen Søg alle filer
9. Tøm papirkurven
Så
er I smittefri og computeren reddet. Den dårlige nyhed er, at man muligvis har
smittet alle, som man har sendt mail til i mange måneder.
Derfor bør man
kontakte alle personer i ens adressekartotek og straks sende dem denne
meddelelse.
Og det har jeg også gjort
PS.: Og jeg havde altså også denne
luskede virus
How to
restore the Sulfnbk.exe file
If you have deleted this file,
restoration is optional. Sulfnbk.exe is a Microsoft Windows utility that is used
to restore long file names. It is not needed for normal system operation. If you
want to restore it, there is more than one way to do this. See the information
that follows.
NOTE: The instructions in this document are provided
for your convenience. The extraction of Windows files uses Microsoft programs
and commands. Symantec does not provide warranty support for or assistance with
Microsoft products. If you have any questions, please see your Windows
documentation or contact Microsoft.
Windows Me
If you are using
Windows Me, you can restore the file using the System Configuration Utility.
1. Click Start and then click Run.
2. Type msconfig and then
press Enter.
3. Click Extract Files. The "Extract one file from
installation disk" dialog box appears.
4. In the "Specify the system file
you would like to restore" box, type the following, and then click
Start:
c:\windows\command\sulfnbk.exe
NOTE: If
you installed Windows to a different location, make the appropriate
substitution.
The Extract File dialog box appears.
5. Next to
the "Restore from" box, click Browse, and browse to the location of the
Windows installation files. If they were copied to the hard drive, this is, by
default, C:\Windows\Options\Install. You can also insert the Windows
installation CD in the CD-ROM drive and browse to that location.
6. Click
OK and follow the prompts.
Windows 98
If you are using
Windows 98, you can restore the file using the System File Checker.
1. Click Start and then click Run.
2. Type sfc and then press
Enter.
3. Click "Extract one file from installation disk."
4. In the
"Specify the system file you would like to restore" box, type the following,
and then click
Start:
c:\windows\command\sulfnbk.exe
NOTE: If
you installed Windows to a different location, make the appropriate
substitution.
The Extract File dialog box appears.
5. Next to
the "Restore from" box click Browse, and browse to the location of the Windows
installation files. If they were copied to the hard drive, this is, by
default, C:\Windows\Options\Cabs. You can also insert the Windows installation
CD in the CD-ROM drive and browse to that location.
6. Click OK and follow
the prompts.
Windows 95 (or alternative method for Windows
98/Me)
If you are using Windows 95, you need to use the extract command.
This can also be used on Windows 98/Me.
1. Click Start, point to Find or Search, and then click Files or
Folders.
2. Make sure that "Look in" is set to (C:) and that Include
subfolders is checked.
3. In the "Named" or "Search for..." box,
type:
precopy1
4. Click Find Now or Search Now.
If it does not exist on the hard drive, then insert the Windows installation
CD and repeat the search on that drive.
5. When you find the file, write
down the location of Precopy1, for example, C:\Windows\Options\Cabs. This is
your Source Path.
6. The general form of the Extract command
is:
extract /a <Source Path>\precopy1.cab sulfnbk.exe /L
c:\windows\command
NOTE: Make sure that you include the /a
switch, as shown. Depending on your version of Windows, the Sulfnbk,exe file
can be in a .cab file other than Precopy1.cab. By using the /a switch, the
Extract program will look first in the Precopy1.cab, and if the file is not
found there, it will look in all subsequent .cab files until it is found, and
can be extracted.
So if the source path is C:\Windows\Options\Cabs,
then the Extract command becomes:
extract /a
c:\windows\options\cabs\precopy1.cab sulfnbk.exe /L
c:\windows\command
NOTE: If you installed Windows to a
different location, make the appropriate substitution.
7. Click Start
and then click Run.
8. Type the following, making the appropriate
substitutions as previously noted
extract /a <Source
Path>\precopy1.cab sulfnbk.exe /L c:\windows\command
9. Click
OK.
For more information on how to use the Microsoft Extract command,
see the Microsoft Knowledge Base document, How to Extract Original Compressed Windows Files,
Article ID: Q129605
Write-up by: Patrick Martin
