[Nitra]

SULFNBK.EXE - Hoax, Virus or WHAT?

'June 1 Virus' FAQ
Join the Discussion
"Sulfnbk.exe is a legitimate Windows file but like many others, can be infected. It looks as though someone who fell victim to Magistr mistakenly thought that the host file was the culprit and decided to warn others about it."
— Keilor



By David Emery

Q. I received an email warning about an infected file called Sulfnbk.exe. The message says if I find the file on my hard drive I should delete it before June 1, when it will supposedly deliver its "payload" and infect my computer. Should I delete it?

A. No. Sulfnbk.exe is a standard Windows system file. Leave it alone.

Q. Does that mean the warning is a hoax?

A. Not exactly. Copies of Sulfnbk.exe do exist that are infected with the Magistr worm. Experts believe the email warnings did not originate as a hoax (i.e., as an intentional attempt to deceive anyone), but as an earnest effort to notify others of the potential threat.

Q. Well, does that mean my computer could be infected, then?

A. Yes, but it's highly unlikely. You could only be infected if you've received and downloaded a contaminated copy of Sulfnbk.exe as an email attachment. If you habitually practice safe computing — meaning you never download or execute unknown file attachments and you scan your hard drive regularly with up-to-date virus protection software — you should have nothing to worry about.

Q. What should I do if I think I may have downloaded the bad file?

A. Make sure your antivirus program has been recently updated, then scan for viruses. Your software should detect and clean the infected file automatically if it is there.

Q. Do I have to do that before June 1 to be safe?

A. No. The bit about the virus "going off" on June 1 is pure fiction.

Q. I'm embarrassed to ask, but... What if I already followed the instructions in the email and deleted Sulfnbk.exe? How do I fix it?

A. First, let this be a lesson to you! Never take for granted that the information you receive in forwarded emails is accurate. Always verify such information with an authoritative source before acting on it or forwarding it to others. That said, to restore the deleted file, follow the instructions given by antivirus expert Mary Landesman here.

Q. Is there anything else I should know?

A. Just this: As a general rule, paying attention to forwarded email warnings is the worst way to try to protect yourself from viruses — and not just because the majority of virus warnings are hoaxes. In a sense, all virus warnings — even the accurate ones — are misleading, because they give the false impression that as long as you're watching out for file attachments with specific names you will be safe. The reality is that you put yourself at risk by downloading any executable file by any name (and some viruses are even designed to rename themselves or send themselves out under randomly varying names). Much, much, much more important than reading virus warnings are the simple measures of 1) always being very careful what you download, and 2) scanning your hard drive regularly.

Q. Okay. Are you done lecturing now?

A. Yes. Until the next time something like this happens — which, trust me, won't be long.


Update: Real Virus Piggybacks on 'Hoax' Warning
06/04/01 - Antivirus experts say the destructive Magistr worm has been found attached to some copies of the Sulfnbk.exe warning message. We hope this goes without saying, but just in case: If you receive the warning, do not open any attachments that may arrive with it. For more information, see "Worm Sneaks Ride With June 1st Hoax" from ZDNN.

Restoring Sulfnbk.exe

How to repair damage from a hoax


SULFNBK.EXE, a utility shipped as part of the Windows 98 operating system that allows users to restore long file names, and now the victim of a bogus virus warning. The hoax message urges users to search their systems for the presence of SULFNBK.EXE and, if found, delete it. Of course, it's a legitimate Win98 operating system file, so anyone running Windows 98 will find it. And many, it seems, have deleted it. Following are the steps to take to restore SULFNBK.EXE from your Windows 98 operating system CD. You will want to have your Windows 98 operating CD in the CD-ROM drive bay. If the program autoruns (launches), just click Exit. A word of caution. Any executable has the potential to be infected. Any executable received via email should be considered infected until proven otherwise. There is a vast difference between the SULFNBK.EXE file that legitimately resides on your hard drive, and an SULFNBK.EXE arriving via email. The Magistr virus randomly selects, infects, and sends portable executable files (PE EXE) files less than 132Kb in length. This makes SULFNBK.EXE, with its paltry 45,056 file size, a perfect candidate. Thus, if you were to receive SULFNBK.EXE via email, consider it infected.


Windows 98
Windows 98 includes a handy tool known as the System File Checker which can be used to restore damaged or deleted files. To open SFC, click "Start" | "Run" and type "SFC" without the quotes. Click "OK". System File Checker will launch a dialogue box with two choices. Choose "Extract one file from installation disk".

In the "Specify the system file you would like to restore" box, type "sulfnbk.exe" (without the quotes). Click "Start".

You will be prompted to specify the location that contains the file you want to extract and the destination directory for that file. You will need to input the "Restore from" location and the "Save file in" location.

"Restore from" will be the win98 folder on your Windows 98 operating system CD. It is easiest and most accurate to use the "Browse" button to locate and select the folder. The "Save file in" destination folder is the Windows directory and Command subdirectory. For example,
C:\WIN98\COMMAND

When both boxes have been filled in, click OK. You should receive a message stating "The file has been successfully extracted". Click OK and close any remaining SFC dialog boxes.

Windows ME
The utility "SFC" (System File Checker) does not exist in Windows ME.

The correct procedure to restore the file SULFNBK.EXE is as follows:

1.) Insert the Windows ME Installation CD. Cancel the Setup program if it starts.

2.) Open MY COMPUTER. Right click on the CD-ROM drive that contains the WinME installation CD and select "Explore."

3.) Open the "Win9X" folder, and locate the file "PRECOPY1.CAB." Double click this file to open it.*

4.) Locate the file SULFNBK.EXE in this .CAB file. Right click on it and select "Extract."

5.) In the "Browse for Folder" dialog box, locate the "COMMAND" subdirectory in your Windows directory, e.g., "C:\WINDOWS\COMMAND."

6.) Click "OK" to extract the file.

Note: This procedure MAY NOT work if support for compressed folders is not installed in the Windows setup tab under "Add/Remove Software" in the Control Panel.

Thanks to Rich Cloutier, System Support Services for the Windows ME instructions.