In the latest perverse trickery pulled off by someone taking pleasure in computer users’ pain, a fake virus warning is circulating by e-mail asking people to delete an innocuous and uninfected executable Microsoft Corp. Windows file and then to pass the warning on to others.
The warning tells users to delete the sulfnbk.exe file, a utility used to restore long file names. The file isn’t usually infected, and running a virus check on it will prove fruitless … which just adds to the hoax’s credibility. The message warns people that it’s a virus undetectable by anti-virus software. Diligent users who search for the file and find it may presume the warning was accurate and delete it.
Standard anti-virus screens will not detect the warning e-mail itself, because it too is not a virus. But if users comply with the message, by deleting the file and forwarding the e-mail to others, the effect is similar.
The message begins, “FOLLOW THE INSTRUCTIONS, I HAD IT!!!!!…,” according to Avert Labs, the anti-virus response division of anti-virus firm McAfee, which itself is a division of Network Associates Inc. “I received this message from a friend and today it is true. I searched for the file following the next instruction and I found it, I had it without knowing,” the warning continues, providing instructions for finding and deleting the file.
“We actually received this one two weeks ago, in Portuguese,” said Joe Hartmann, director of North American virus research for Trend Micro Inc., another anti-virus software vendor. “A couple of days ago we received a version in English with some more text, adding a date to it, June 1.”
An earlier, real threat – the Magistr worm – infected the sulfnbk.exe file, adding to user confusion. This e-mail hoax is unrelated to the earlier worm, which can be detected and destroyed by updated anti-virus software.
Instructions for restoring the deleted file may be found at http://vil.mcafee.com/dispVirus.asp?virus_k=99084&/.
Network Associates, in Santa Clara, Calif., can be reached at http://www.nai.com/.