Symantec AntiVirus Research Center (SARC)
http://www.symantec.com/avcenter

SULFNBK.EXE Warning
Reported on: April 17, 2001
Last Updated on: May 31, 2001 at 12:49:29 PM PDT

The following hoax email has been reported in Brazil. The original email is
in Portuguese; it is followed by an English translation.

CAUTIONS:

This particular email message is a hoax. The file that is mentioned in the
hoax, however, Sulfnbk.exe, is a Microsoft Windows utility that is used to
restore long file names, and like any .exe file, it can be infected by a
virus that targets .exe files.
The virus/worm W32.Magistr.24876@mm can arrive as an attachment named
Sulfnbk.exe. The Sulfnbk.exe file used by Windows is located in the
C:\Windows\Command folder. If the file is located in any other folder, or
arrives as an attachment to a email message, then it is possible that the
file is infected. In this case, if a scan with the latest virus definitions
and with NAV set to scan all files does not detect the file as being
infected, quarantine and submit the file to SARC for analysis by following
the instructions in the document How to submit a file to SARC using Scan and
Deliver.
If you have deleted the Sulfnbk.exe file from the C:\Windows\Command folder
and want to know how to restore the file, see the How to restore the
Sulfnbk.exe file section at the end of this document.
Original Portuguese version:

Vocês acreditam que uma amiga da lista enviou um alerta e os procedimentos
que deveriam ser tomados para a possível detecção do maledeto SULFNBK.EXE. e
eu fui conferir só por desencargo de consciência. Pois é...O bichinho tava
lá, escondidinho até da McAfee e do Norton, talvez esperando algum gatilho
prá começar a trabalhar, né?
Aí vão, moçada, as orientações que eu segui à risca e que me levaram ao tal
coisinha ruím:

1 - Iniciar/Localizar Pastas. Digite o nome do "mardito": SULFNBK.EXE
2 - Se for encontrado, abra o Windows Explorer, vá até a pasta onde ele se
encontra alojado e delete-o de lá ou do próprio ambiente do Localizar; - Não
click com o botão esquerdo sobre ele e não abra o arquivo nem em caso de
incêndio, ok?
3 - Apenas delete o bichinho.
4 - O meu estava em Windows/Command.
5 - O vírus da pessoa que passou o aviso estava em Windows/Config.

Sim, o Norton e nem o McAfee não detectou.
Não sabemos se ele faz algum estrago na máquina, mas acho que ninguém aqui
vai querer testar para saber, né?
Gente, sem brincadeiras, já tirei o meu daqui....
E nem imaginava que tivesse hóspedes no PC.
Minha vacina está super-atualizada!!!
Façam o mesmo, ok?


Translated English version:

Do you believe that a friend of mine sent me an alert and the procedure that
we have to follow for the possible infection of SULFNBK.EXE. And I had
checked, just to make sure. An then... the file was there, hidden even of
McAfee and Norton, maybe waiting something to start work.
Well, see bellow the procedure that I followed step by step, and I found the
file:

1. Start/Find Folders. Type the file name: SULFNBK.EXE
2. If it find, open Windows Explorer, browse into the folder where the file
is and delete it. Do not click with left button on the file and do not open
it.
3. Just delete it
4. Mine was on Windows/Command
5. The virus from the person who gave the alert was on Windows/Config

Yes, Norton and McAfee do not detect it.
We do not know if it makes some damage on the machine, but I think that
anybody will not want to test it to know, will it?
Folks, this is not fun, I deleted it from my computer.
And my definitions are updated.
Do the same, ok?

A new version of this hoax has additional text stating that the virus will
activate on June 1st:

It was brought to my attention yesterday that a virus is in circulation via
email. I looked for it and to my surprise I found it on mine. ..
Please follow the directions and remove it from yours TODAY!!!!!!!

No Virus software can detect it.  It will become active on June 1, 2001.
It might be too late by then. It wipes out all files and folders on
the hard drive. This virus travels thru E-mail and migrates to the
'C:\windows\command' folder.

The bad part is: You need to contact everyone you have sent ANY
E-mail to in the past few months. Many major companies have found this virus
on
their computers. Please help your friends !!!!!!!!

DO NOT RELY ON YOUR ANTI-VIRUS SOFTWARE. McAFEE and NORTON CANNOT
DETECT IT BECAUSE IT DOES NOT BECOME A VIRUS UNTIL JUNE 1ST.

WHATEVER YOU DO, DO NOT OPEN THE FILE!!!




How to restore the Sulfnbk.exe file
If you have deleted this file, restoration is optional. Sulfnbk.exe is a
Microsoft Windows utility that is used to restore long file names. It is not
needed for normal system operation. If you want to restore it, there is more
than one way to do this. See the information that follows.

NOTE: The instructions in this document are provided for your convenience.
The extraction of Windows files uses Microsoft programs and commands.
Symantec does not provide warranty support for or assistance with Microsoft
products. If you have any questions, please see you Windows documentation or
contact Microsoft.

Windows Me
If you are using Windows Me, you can restore the file using the System
Configuration Utility.

1. Click Start and then click Run.
2. Type msconfig and then press Enter.
3. Click Extract Files. The "Extract one file from installation disk" dialog
box appears.
4. In the "Specify the system file you would like to restore" box, type the
following, and then click Start:

c:\windows\command\sulfnbk.exe

NOTE: If you installed Windows to a different location, make the appropriate
substitution.

The Extract File dialog box appears.

5. Next to the "Restore from" box, click Browse, and browse to the location
of the Windows installation files. If they were copied to the hard drive,
this is, by default, C:\Windows\Options\Install. You can also insert the
Windows installation CD in the CD-ROM drive and browse to that location.
6. Click OK and follow the prompts.
Windows 98
If you are using Windows Me, you can restore the file using the System File
Checker.

1. Click Start and then click Run.
2. Type sfc and then press Enter.
3. Click "Extract one file from installation disk."
4. In the "Specify the system file you would like to restore" box, type the
following, and then click Start:

c:\windows\command\sulfnbk.exe

NOTE: If you installed Windows to a different location, make the appropriate
substitution.

The Extract File dialog box appears.

5. Next to the "Restore from" box click Browse, and browse to the location
of the Windows installation files. If they were copied to the hard drive,
this is, by default, C:\Windows\Options\Cabs. You can also insert the
Windows installation CD in the CD-ROM drive and browse to that location.
6. Click OK and follow the prompts.
Windows 95 (or alternative method for Windows 98/Me)
If you are using Windows 95, you need to use the extract command. This can
also be used on Windows 98/Me.


1. Click Start, point to Find or Search, and then click Files or Folders.
2. Make sure that "Look in" is set to (C:) and that Include subfolders is
checked.
3. In the "Named" or "Search for..." box, type:

precopy1

4. Click Find Now or Search Now. If it does not exist on the hard drive,
then insert the Windows installation CD and repeat the search on that drive.
5. When you find the file, write down the location of Precopy1, for example,
C:\Windows\Options\Cabs. This is your Source Path.
6. The general form of the Extract command is:

extract <Source Path>\precopy1.cab sulfnbk.exe /L c:\windows\command

So if the source path is C:\Windows\Options\Cabs, then the Extract command
becomes:

extract c:\windows\options\cabs\precopy1.cab sulfnbk.exe /L
c:\windows\command

NOTE: If you installed Windows to a different location, make the appropriate
substitution.

7. Click Start and then click Run.
8. Type the following, making the appropriate substitutions as previously
noted

extract <Source Path>\precopy1.cab sulfnbk.exe /L c:\windows\command

9. Click OK.
For more information on how to use the Microsoft Extract command, see the
Microsoft Knowledge Base document, How to Extract Original Compressed
Windows Files, Article ID: Q129605



Category: Hoax

Please ignore any messages regarding this hoax and do not pass on messages.
Passing on messages about the hoax only serves to further propagate it.





Write-up by: Patrick Martin



-----Original Message-----
From: Discussion of Welsh language technical terminology and vocabulary
including [mailto:[log in to unmask]]On Behalf Of
catrin alun
Sent: 01 June 2001 08:32
To: [log in to unmask]
Subject: Fw: URGENT - Virus alert - I really do suggest you read the
instructions below and carry them out - experience suggests your PC may
well have this Virus
Importance: High


I found it on my hard drive - please check!

Catrin
----- Original Message -----
From: "Tony O'Neill" <[log in to unmask]>
To: "Wendy Holt" <[log in to unmask]>; "Vicky Allen"
<[log in to unmask]>; "Tony O'Neill" <[log in to unmask]>;
"Tony Cooke" <[log in to unmask]>; "Steve Cowley - WSA IT"
<[log in to unmask]>; "Sandra Pearson (Pearson Insurance Services)"
<[log in to unmask]>; "Roger Monksummers" <[log in to unmask]>;
"RCS" <[log in to unmask]>; "Rachel Adkin" <[log in to unmask]>;
"Philipson, Jane" <[log in to unmask]>; "Peter Gammie"
<[log in to unmask]>; "Nigel Beard" <[log in to unmask]>; "Nicola
Hadley" <[log in to unmask]>; "Nicky Maxted"
<[log in to unmask]>; "Nick Bell" <[log in to unmask]>; "Min
Maxey" <[log in to unmask]>; "Marcus Taylor"
<[log in to unmask]>; "Lisa Leach"
<[log in to unmask]>; "Kathy Dudding"
<[log in to unmask]>; "John Ogbourne" <[log in to unmask]>; "John
Day" <[log in to unmask]>; "Jeff Billinger" <[log in to unmask]>; "Ingela
Persson" <[log in to unmask]>; "Helen O'Neill" <[log in to unmask]>;
"Gerry Harvey" <[log in to unmask]>; "Evelyne van Vliet"
<[log in to unmask]>; "English Self Cavy Club" <[log in to unmask]>;
"Doreen Petherick" <[log in to unmask]>; "Christine Fort"
<[log in to unmask]>; "Cavies" <[log in to unmask]>; "Catrin Alun"
<[log in to unmask]>; "Carol Sharp" <[log in to unmask]>; "Bryan
Mayoh" <[log in to unmask]>; <[log in to unmask]>; "Aylesbury
Flooring" <[log in to unmask]>; "Andre Theophilus"
<[log in to unmask]>
Sent: Thursday, May 31, 2001 7:02 PM
Subject: Fw: URGENT - Virus alert - I really do suggest you read the
instructions below and carry them out - experience suggests your PC may well
have this Virus


>
>
> ----- Original Message -----
> From: Wendy Holt <[log in to unmask]>
> To: Frances Holt <[log in to unmask]>; Gill Hood
> <[log in to unmask]>; John Berry <[log in to unmask]>; Steve Barrett
> <[log in to unmask]>; Rachel & David Betancourt <[log in to unmask]>; Beth
> Brown <[log in to unmask]>; Peter Gammie <[log in to unmask]>;
Tom
> and Roz Cunliffe <[log in to unmask]>; Nikolas Koll <[log in to unmask]>;
> Bryan Mayoh <[log in to unmask]>; Tony O'Neill <[log in to unmask]>; Graham
> Smith <[log in to unmask]>; Carol Tuxford <[log in to unmask]>;
> Peter Wilson <[log in to unmask]>; Geoff Wilson <[log in to unmask]>
> Sent: 31 May 2001 18:15
> Subject: Fw: URGENT - Virus alert - I really do suggest you read the
> instructions below and carry them out - experience suggests your PC may
well
> have this Virus
>
>
> >
> > > > Sent: Wednesday, May 30, 2001 4:57 PM
> > > > Subject: Fw: URGENT - Virus alert - I really do suggest you read the
> > > > instructions below and carry them out - experience suggests your PC
> may
> > > well
> > > > have this Virus
> > > >
> > > >
> > > > > URGENT. A VIRUS could be in your computer files now, dormant but
> will
> > > > > > > become
> > > > > > > > active on June 1. FOLLOW DIRECTIONS BELOW TO CHECK IF
> > > > > > > > YOU HAVE IT AND TO REMOVE IT NOW.
> > > > > > > >
> > > > > > > > It was brought to my attention yesterday that a virus is in
> > > > > circulation
> > > > > > > via
> > > > > > > > email. I looked for it and to my surprise I found it on
mine.
> > > > > > > > please follow the directions and remove it from yours
> > TODAY!!!!!!!
> > > > > > > >
> > > > > > > > No Virus software can detect it. It will become active on
June
> > 1,
> > > > > 2001.
> > > > > > > > might
> > > > > > > > be too late by then. It wipes out all files and folders on
the
> > > hard
> > > > > > drive.
> > > > > > > > This virus travels thru E-mail and migrates to the
> > > > > 'C:\windows\command'
> > > > > > > > folder. To find it and get rid of it off of your computer,
do
> > the
> > > > > > > following.
> > > > > > > >
> > > > > > > > Go to the "START" button.
> > > > > > > > Go to "FIND" or "SEARCH"
> > > > > > > > Go to "FILES & FOLDERS"
> > > > > > > > Make sure the find box is searching the "C:" drive.
> > > > > > > > Type in; SULFNBK.EXE
> > > > > > > > Begin search.
> > > > > > > > If it finds it, highlight it.
> > > > > > > > Go to 'File' and delete it.
> > > > > > > > Close the find Dialog box
> > > > > > > > Open the Recycle Bin
> > > > > > > > Find the file and delete it from the Recycle bin
> > > > > > > > You should be safe.
> > > > > > > >
> > > > > > > > The bad part is: You need to contact everyone you have sent
> ANY
> > > > E-mail
> > > > > > to
> > > > > > > in
> > > > > > > > the past few months. Many major companies have found this
> virus
> > on
> > > > > their
> > > > > > > > computers. Please help your friends !!!!!!!!
> > > > > > > >
> > > > > > > > DO NOT RELY ON YOUR ANTI-VIRUS SOFTWARE. McAFEE and NORTON
> > CANNOT
> > > > > > > > DETECT IT BECAUSE IT DOES NOT BECOME A VIRUS UNTIL JUNE 1ST.
> > > > > > > >
> > > > > > > > WHATEVER YOU DO, DO NOT OPEN THE FILE!!!
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> >
> >
> >
>
>