Microsoft

Lock IT Down: Recovering from the Sulfnbk.exe virus hoax

Find out how to recover from this virus hoax


Unfortunately, it is all too easy to cook up a scary-sounding e-mail and urge gullible readers to forward it to everyone they know. Unlike actual viruses—which are eventually weeded out by antivirus software—an e-mail hoax only needs one click of the Forward button to clog the mail servers.

In my previous article "Educate users about virus hoaxes," I described a number of e-mail hoaxes along with the patterns that can tip you off to their bogus nature. I specifically mentioned the Sulfnbk.exe ruse, which urges readers to delete a certain Windows utility on the pretence that it’s infected. In this article, I’ll describe what to do if one of your users has deleted that Windows system file.

The hoax
The hoax takes the form of an e-mail message informing readers that one of their computer’s files is “infected” and predicting the usual dire consequences should they fail to act. Detailed instructions tell readers how to search for the Sulfnbk program and how to manually delete the file. (As such, it’s related to the Honor System virus—a joke e-mail that asks users to manually erase their hard drives.)

Here’s an example of a typical e-mail message describing the “virus.” While there are numerous variations, astute readers are bound to recognize a number of details that strain credibility.
A VIRUS could be in your computer files now, dormant but will become active on June 1. Try not to USE your Computer on June 1st. FOLLOW DIRECTIONS BELOW TO CHECK IF YOU HAVE IT AND TO REMOVE IT NOW. No Virus software can detect it. It will become active on June 1. It might be too late by then. It wipes out all files and folders on the hard drive. This virus travels thru E-mail and migrates to the 'C:\windows\command' folder. To find it and get rid of it, do the following.

(At this point, the e-mail contains instructions for using the Windows Find command to locate and delete the file, which actually has an ominously ugly icon.)
The bad part is: You need to contact everyone you have sent ANY E-mail to in the past few months. Many major companies have found this virus on their computers. Please help your colleagues and friends!
DO NOT RELY ON YOUR ANTI-VIRUS SOFTWARE. McAFEE and NORTON CANNOT DETECT IT BECAUSE IT DOES NOT BECOME A VIRUS UNTIL JUNE 1ST.

Recovering Sulfnbk.exe
The Sulfnbk.exe utility can restore long filenames in the event that they become corrupted. In general, deleting the file will have no detrimental effect on your users’ computers. Nonetheless, it’s easy to restore the program, which makes the fix worthwhile. According to the Microsoft Knowledge Base, here is the fix for Windows 98 and Windows Millennium Edition.

Windows 98
Users of Windows 98 or Windows 98 Second Edition should use the System File Checker tool to extract the Sulfnbk.exe program. To do so, click Start | Run. Type SFC in the resulting dialog box and then press [Enter]. In the next dialog box, click Extract One File From Installation Disk. Now type C:\WINDOWS\COMMAND\SULFNBK.EXE into the Specify The System File You Would Like To Restore text box (assuming the Windows folder is on the C: drive) and then click Start. The Extract File dialog box will then appear.

Click Browse and then navigate to the Windows installation files. The default location is C:\Windows\Options\Cabs. You can also insert the Windows installation CD-ROM in the CD-ROM drive and browse to that location. Click OK and then click through the remaining steps of the install routine as usual.

Windows Millennium Edition
To extract files in Windows Me, use the System Configuration utility. Click Start | Run. Type MSCONFIG in the resulting dialog box and then press [Enter]. In the next dialog box, click Extract Files to display the Extract One File From Installation Disk dialog box.

In the Specify The System File You Would Like To Restore text box, type C:\WINDOWS\COMMAND\SULFNBK.EXE (assuming the Windows folder is installed on the C: drive) and then click Start. The Extract File dialog box will then appear. Click Browse and then navigate to the location of the Windows installation files. If the installation files were copied to the hard disk, the default location is C:\Windows\Options\Install. (You can also insert the Windows Me installation CD-ROM into your CD-ROM drive and then browse to that location.) When you’ve located the install files, click OK and then click through the remaining steps of the install routine as usual.

Scan Sulfnbk.exe with antivirus software
One of the factors that gave the Sulfnbk.exe hoax a boost was that some viruses apparently infected the Sulfnbk.exe file on certain machines. Also, the W32.Magistr.24876@mm virus sometimes arrives as an attachment named Sulfnbk.exe. As a result, antivirus software would report that the file is indeed infected. Fortunately, antivirus software is often able to disinfect, rather than delete, the infected file. Unfortunately, the appearance of Sulfnbk.exe among a report of infected files gave the hoax credibility it didn’t deserve. To be on the safe side, be sure your users have active antivirus routines that include periodic file scans. If Sulfnbk.exe or any other file is infected, it can often be repaired without the need to delete or replace the file.

Cast your vote for the best antivirus software
It's time to sound off about the best antivirus software. Are you a die-hard Norton fan or is McAffee your favorite? What about Command or Trend Micro? Post a comment to this article and let us know which antivirus product is your favorite.

 

Editor's Picks