RE: SULFNBK VIRUS

the file in question is an actual windows file to recover long file names. =
 McAfee's website has a correction for it if by chance someone thought it =
was real and deleted the file. =20

Of course I did, which is how I know the correction. (too early in the =
morning reading email is bad for my computer's health!:) )

>>> "Barnes, David (D.)" <dbarne20(at)visteon.com> 12/12/01 07:21AM >>>
Out of curiosity, this is the Symantec description to go with the virus =
you
mentioned?  Are you sure that you have an infected file?

Thanks,

Dave Barnes


SULFNBK.EXE Warning
Reported on: April 17, 2001=20
Last Updated on: December 7, 2001 at 04:10:58 PM PST=20


Printer-friendly version  Tell a Friend =20

Symantec Security Response encourages you to ignore any messages regarding
this hoax. It is harmless and is intened only to cause unwarranted =
concern.=20

Type: Hoax=20


Description:


The following hoax email was first reported in Brazil. The original email =
is
in Portuguese; it is followed by several other versions.


CAUTIONS:

This particular email message is a hoax. The file that is mentioned in the
hoax, however, Sulfnbk.exe, is a Microsoft Windows utility that is used to
restore long file names, and like any .exe file, it can be infected by a
virus that targets .exe files.
The virus/worm W32.Magistr.24876@mm can arrive as an attachment named
Sulfnbk.exe. The Sulfnbk.exe file used by Windows is located in the
C:\Windows\Command folder. If the file is located in any other folder, or
arrives as an attachment to a email message, then it is possible that the
file is infected. In this case, if a scan with the latest virus definitions=

and with NAV set to scan all files does not detect the file as being
infected, quarantine and submit the file to SARC for analysis by following
the instructions in the document How to submit a file to SARC using Scan =
and
Deliver.
If you have deleted the Sulfnbk.exe file from the C:\Windows\Command =
folder
and want to know how to restore the file, see the How to restore the
Sulfnbk.exe file section at the end of this document.

Original Portuguese version

Voc=EAs acreditam que uma amiga da lista enviou um alerta e os procedimento=
s
que deveriam ser tomados para a poss=EDvel detec=E7=E3o do maledeto =
SULFNBK.EXE. e
eu fui conferir s=F3 por desencargo de consci=EAncia. Pois =E9...O =
bichinho tava
l=E1, escondidinho at=E9 da McAfee e do Norton, talvez esperando algum =
gatilho
pr=E1 come=E7ar a trabalhar, n=E9?
A=ED v=E3o, mo=E7ada, as orienta=E7=F5es que eu segui =E0 risca e que me =
levaram ao tal
coisinha ru=EDm:
=20
1 - Iniciar/Localizar Pastas. Digite o nome do "mardito": SULFNBK.EXE
2 - Se for encontrado, abra o Windows Explorer, v=E1 at=E9 a pasta onde =
ele se
encontra alojado e delete-o de l=E1 ou do pr=F3prio ambiente do Localizar; =
- N=E3o
click com o bot=E3o esquerdo sobre ele e n=E3o abra o arquivo nem em caso =
de
inc=EAndio, ok?
3 - Apenas delete o bichinho.
4 - O meu estava em Windows/Command.=20
5 - O v=EDrus da pessoa que passou o aviso estava em Windows/Config.

Sim, o Norton e nem o McAfee n=E3o detectou.=20
N=E3o sabemos se ele faz algum estrago na m=E1quina, mas acho que =
ningu=E9m aqui
vai querer testar para saber, n=E9?
Gente, sem brincadeiras, j=E1 tirei o meu daqui....
E nem imaginava que tivesse h=F3spedes no PC.=20
Minha vacina est=E1 super-atualizada!!!
Fa=E7am o mesmo, ok?

Danish version

Virusen er programmeret til at aktivere sig p=E5 et senere tidspunkt, =
derfor
vil den ikke blive opdaget af et standard virusbeskyttende program, =
s=E5som
Mcafee eller Norton. Ingen ved, hvor l=E6nge den har v=E6ret i oml=F8b - =
muligvis
i flere m=E5neder. N=E5r den aktiverer sig vil den slette alle filer og
dokumenter p=E5 jeres harddisk. Den spreder sig via e-mail og placerer sig =
i
C.WINDOWS/COMMAND.

For at finde den og slette den skal I g=F8re f=F8lgende:
1. Klik p=E5 start
2. V=E6lg S=F8g efter
3. V=E6lg filer eller mapper
4. G=E5 til S=F8g alle filer og v=E6lg lokale hardiske - i de fleste
tilf=E6lde er det C:.
5. I feltet Navn skrives SULFNBK.EXE
6. Hvis filen findes, marker den, men =C5BN DEN IKKE !!!!!!!!!
7. H=F8jreklik p=E5 filen og v=E6lg SLET
8. Luk dialogboksen S=F8g alle filer
9. T=F8m papirkurven

S=E5 er I smittefri og computeren reddet. Den d=E5rlige nyhed er, at man
muligvis har smittet alle, som man har sendt mail til i mange m=E5neder.
Derfor b=F8r man kontakte alle personer i ens adressekartotek og straks =
sende
dem denne meddelelse.
Og det har jeg ogs=E5 gjort
PS.: Og jeg havde alts=E5 ogs=E5 denne luskede virus

Dutch


"het is mogelijk dat je computer besmet is met een virus dat erop
geprogrammeerd is om actief te worden gemaakt. door de "activeer vertraging=
"
die er in gebouwd zit , wordt het niet ontdekt door o.a. mcafee en norton =
.
niemand weet hoe lang het virus al circuleert. mogelijk al enkele maanden.
als het virus geactiveerd wordt, verwijdert het alle bestanden en
mappen van de harde schijf.

het virus verbreidt zich via e-mail en infiltreert het dossier
"c:/windows/command".

er zal dus "grote schoonmaak" moeten worden uitgevoerd indien je het virus
detecteerd op je computer en op de computers van diegenen waarmee je
de laatste tijd per e-mail in contact hebt gestaan, anders blijft het een
eeuwig durende cirkel.

om het te vinden en te verwijderen:

- klik op start
- vervolgens op zoeken
- kies bestanden of mappen
- ga naar zoeken en kies lokale vaste schijven of "c"
- typ op de regel "naam" : SULFNBK.EXE
- als het bestand wordt gevonden selecteer het, doch open het niet
- klik op bewerken
- vervolgens op alles selecteren
- klik op bestand
- vervolgens op verwijderen.
- sluit het venster en leeg de prullebak.

na deze operatie zit je in principe goed. maar je hebt waarschijnlijk zelf
mensen besmet aan wie je e-mails hebt verzonden. mocht je dus het virus
hebben waarschuw ze dan , zodat ook zij hun schijven kunnen opschonen." ]


English versions

Version 1
Do you believe that a friend of mine sent me an alert and the procedure =
that
we have to follow for the possible infection of SULFNBK.EXE. And I had
checked, just to make sure. An then... the file was there, hidden even of
McAfee and Norton, maybe waiting something to start work.
Well, see bellow the procedure that I followed step by step, and I found =
the
file:

1. Start/Find Folders. Type the file name: SULFNBK.EXE
2. If it find, open Windows Explorer, browse into the folder where the =
file
is and delete it. Do not click with left button on the file and do not =
open
it.
3. Just delete it
4. Mine was on Windows/Command
5. The virus from the person who gave the alert was on Windows/Config

Yes, Norton and McAfee do not detect it.
We do not know if it makes some damage on the machine, but I think that
anybody will not want to test it to know, will it?
Folks, this is not fun, I deleted it from my computer.
And my definitions are updated.
Do the same, ok?

Version 2
This one has additional text stating that the virus will activate on June
1 t til at aktivere sig p=E5 et senst.

It was brought to my attention yesterday that a virus is in circulation =
via
email. I looked for it and to my surprise I found it on mine. ..
Please follow the directions and remove it from yours TODAY!!!!!!!

No Virus software can detect it.  It will become active on June 1, 2001.
It might be too late by then. It wipes out all files and folders on
the hard drive. This virus travels thru E-mail and migrates to the
'C:\windows\command' folder. =20

The bad part is: You need to contact everyone you have sent ANY
E-mail to in the past few months. Many major companies have found this =
virus
on
their computers. Please help your friends !!!!!!!!

DO NOT RELY ON YOUR ANTI-VIRUS SOFTWARE. McAFEE and NORTON CANNOT
DETECT IT BECAUSE IT DOES NOT BECOME A VIRUS UNTIL JUNE 1ST.

WHATEVER YOU DO, DO NOT OPEN THE FILE!!!

French

Bonjour =E0 tous, Hello everyone!

Ceci est une alerte au VIRUS assez s=E9rieuse.
This is a serious VIRUS alert.

Comme je vous ai envoy=E9 des courriels dans les 3 derniers mois, je
vous=20
invite =E0 v=E9rifier s'il n'y aurait pas un dossier intitul=E9=20
SULFNBK.EXE=20
quelques part dans votre ordinateur.

Since I have emailed you in the last couple of month I invite you to
read=20
the following text carefully. Please note that, against all odds, I
had it=20
exactly where it was mentionned it would be...

Prenez note que ce VIRUS ( SULFNBK.EXE )est ind=E9tectable et qu'il
doit =EAtre=20
activ=E9 le 1er JUIN donc, v=E9rifier imm=E9diatement, Ne l'ouvrez PAS et
jetter=20
le directement =E0 la poubelle; VIDER LA POUBELLE PAR LA SUITE.



How to restore the Sulfnbk.exe file
If you have deleted this file, restoration is optional. Sulfnbk.exe is a
Microsoft Windows utility that is used to restore long file names. It is =
not
needed for normal system operation. If you want to restore it, there is =
more
than one way to do this. See the information that follows.

NOTE: The instructions in this document are provided for your convenience.
The extraction of Windows files uses Microsoft programs and commands.
Symantec does not provide warranty support for or assistance with =
Microsoft
products. If you have any questions, please see your Windows documentation
or contact Microsoft.

Windows Me
If you are using Windows Me, you can restore the file using the System
Configuration Utility.
1. Click Start and then click Run.
2. Type msconfig and then press Enter.
3. Click Extract Files. The "Extract one file from installation disk" =
dialog
box appears.
4. In the "Specify the system file you would like to restore" box, type =
the
following, and then click Start:

c:\windows\command\sulfnbk.exe

NOTE: If you installed Windows to a different location, make the appropriat=
e
substitution.

The Extract File dialog box appears.

5. Next to the "Restore from" box, click Browse, and browse to the =
location
of the Windows installation files. If they were copied to the hard drive,
this is, by default, C:\Windows\Options\Install. You can also insert the
Windows installation CD in the CD-ROM drive and browse to that location.
6. Click OK and follow the prompts.


Windows 98
If you are using Windows 98, you can restore the file using the System =
File
Checker.
1. Click Start and then click Run.
2. Type sfc and then press Enter.
3. Click "Extract one file from installation disk."
4. In the "Specify the system file you would like to restore" box, type =
the
following, and then click Start:

c:\windows\command\sulfnbk.exe

NOTE: If you installed Windows to a different location, make the t til at =
aktivere sig p=E5 et sen appropriate
substitution.

The Extract File dialog box appears.

5. Next to the "Restore from" box click Browse, and browse to the location
of the Windows installation files. If they were copied to the hard drive,
this is, by default, C:\Windows\Options\Cabs. You can also insert the
Windows installation CD in the CD-ROM drive and browse to that location.
6. Click OK and follow the prompts.

Windows 95 (or alternative method for Windows 98/Me)
If you are using Windows 95, you need to use the extract command. This can
also be used on Windows 98/Me.

1. Click Start, point to Find or Search, and then click Files or Folders.
2. Make sure that "Look in" is set to (C:) and that Include subfolders is
checked.
3. In the "Named" or "Search for..." box, type:

precopy1

4. Click Find Now or Search Now. If it does not exist on the hard drive,
then insert the Windows installation CD and repeat the search on that =
drive.
5. When you find the file, write down the location of Precopy1, for =
example,
C:\Windows\Options\Cabs. This is your Source Path.
6. The general form of the Extract command is:

extract <Source Path>\precopy1.cab sulfnbk.exe /L c:\windows\command

So if the source path is C:\Windows\Options\Cabs, then the Extract command
becomes:

extract c:\windows\options\cabs\precopy1.cab sulfnbk.exe /L
c:\windows\command

NOTE: If you installed Windows to a different location, make the appropriat=
e
substitution.

7. Click Start and then click Run.
8. Type the following, making the appropriate substitutions as previously
noted

extract <Source Path>\precopy1.cab sulfnbk.exe /L c:\windows\command

9. Click OK.

For more information on how to use the Microsoft Extract command, see the
Microsoft Knowledge Base document, How to Extract Original Compressed
Windows Files, Article ID: Q129605


=20


Write-up by: Patrick Martin=20


=20
=20
=20
=20

Dave Barnes=20

Body, Safety, and Security Lab=20
Room LS-115C=20
313-755-1360=20
dbarne20(at)visteon.com =20



-----Original Message-----
From: Captain F.M. O'Lary [mailto:ctfuzzy(at)canopy.net]=20
Sent: Wednesday, December 12, 2001 8:36 AM
To: Mirya Glover; hwg-basics(at)hwg.org=20
Subject: Re: SULFNBK VIRUS


At 05:03 AM 12/12/01 , Mirya Glover wrote:
>A friend sent this to me and when I checked, I did have the virus.  I may
>have sent it to you.  The fix is real easy.  I commend you check and fix
it.
>Please check your computer soon as possible. I did have this virus and
>chances are you have it too since you're all in my address book. It lies
>dormant for 14 days, then kills your hard drive. Here's how to stop it. =
If
>you've got it, end this to everyone in your address book. Sorry for the
>inconvenience.

You "gave everyone a virus". Now you're telling everyone to send mail to
everyone they know.

Let me guess . . . you were drooped on your head as a child.

Fuzzy.
< struggling to remain civil >
______________________________________________________________
Captain F.M. O'Lary
ctfuzzy(at)canopy.net=20
"With computers, every morning is the dawn of a new error. "
------------------------------------------------------------------

HTML Guild: hwg-basics mailing list archives, maintained by Web Professionals @ IWA