Real virus piggybacks on e-mail hoax

June 4, 2001

A hoax e-mail warning people that their PCs might contain a virus duped an untold number of people into deleting the sulfnbk.exe file from their hard drives last week. But now some computer users are receiving another e-mail with "sulfnbk.exe" in the subject line--and this time it may actually contain a harmful virus.

People who have received the virus say that launching the attached application lets loose a worm that could do substantial harm to the user's computer and to the machines of everyone on their e-mail lists.

"My concern is that because of the original hoax, people will have their guard down where this file is concerned," a system administrator wrote in an e-mail message. The company's anti-virus software caught the worm on a worker's computer.

But antivirus experts say a prankster did not send computer users a hoax to lull them into an actual attack. The sulfnbk.exe file is safe and does not contain a virus. Instead, a second attachment in the same e-mail contains the harmful W32Magistr@MM virus.

The virus, dubbed "Magistrate," has a variety of official file names that include numbers before the @ symbol. First detected March 13, Magistrate files may also be named W32Magistr.24876@mm.

Most anitvirus software detects and destroys Magistrate before it harms users' computers, but letting Magistrate loose could have disastrous consequences. Security experts at Symantec rate it a four on a scale of 1-5 for its potential danger, which includes system crashes and the release of confidential information.

The self-propagating worm infects Windows files and sends itself to all addresses in the Outlook/Outlook Express e-mail folders, the "sent items" file from Netscape and the Windows address book. Although it picks random copy from infected users' hard drives, Symantec cautions that the virus could send confidential Microsoft Word documents to others on the user's e-mail list.

E-mail sent from machines infected with Magistrate may have up to two attachments, as well as randomly generated subject lines and message bodies.

The sulfnbk.exe hoax began at least a month ago and quickly spread around the world as computer users, on heightened alert after a slew of media reports regarding nasty viruses, passed e-mail warnings about the potential threat. Many people deleted sulfnbk.exe--a Windows system file that helps identify long file names.

Magistrate-infected computers then received the well-intentioned warning and spammed others with e-mail. The randomly generated subject line reads "sulfnbk.exe" and includes the harmless sulfnbk.exe file. The other attachment is the Magistrate virus.

"Magistrate is a particularly nasty one," said Vincent Weafer, director of Symantec's antivirus research center. "It's definitely in the wild because we still get fairly constant reports of it."

Rob Rosenberger, editor of virus information site Vmyths.com, says the quick spread of the sulfnbk.exe hoax and the piggyback Magistrate virus reflects the complicated propagation of viruses, but it's also a simple indictment of security companies and the antivirus software they sell.

"People don't trust their antivirus software," Rosenberger said. "For years, we've been given antivirus software that regularly fails, and when it fails it fails spectacularly.

"People have been conditioned over the years that their antivirus software will fail. People trust their eyeballs more than they trust software, so when they see an e-mail from their friend warning of a virus, they believe it more than the software."

Confusion about which warnings are hoaxes and which are real could mount in the future as virus creators become more sophisticated. Microsoft called the sulfnbk.exe hoax an example of "social engineering," and experts agree that computer users may soon become the target of hackers who play sophisticated psychological games with computer users.

Symantec has already detected legitimate viruses sent after hoax viruses meant to lower computer users' guard. Rosenberger calls the increasingly common phenomenon "ex-post hoaxo."

"I've got a funny feeling that hoaxters are going to create more ex-post hoaxos," Rosenberger said. "It wouldn't be hard for somebody to write a worm that spreads itself as sulfnbk.exe. The e-mail can say, 'Hey Connie, in case you got duped by the hoax, go ahead and put this attachment in your Windows/command directory.'"