Welcome to The Funny/Alerts Newsletter issue number 010608.




This virus hoax was previously brought to my attention by John Wick, but because it was at the time seen by the Anti-virus community as a "non-threat" (and the fact that it WAS a hoax) I felt that there no need for me to raise the alarm.


This situation has recently changed as I have seen a rise in the number of users that have been taken in by this hoax. Hopefully you, my dear readers, have been paying attention to my ever increasing cry to "keep your anti-virus software updated." If you have, then you probably trusted that if you had been infected you would have been alerted and that this hoax was exactly that. Knowledge is power.




E-mail virus hoax makes users do the dirty work

By George A.  Chidi Jr.


In the latest perverse trickery pulled off by someone taking pleasure in computer users' pain, a fake virus warning is circulating by e-mail asking people to delete an innocuous and uninfected executable Microsoft Windows file and then to pass the warning on to others.


The warning tells users to delete the sulfnbk.exe file, a utility used to restore long file names.  The file is not usually infected, and running a virus check on it will prove fruitless ...  which just adds to the hoax's credibility.  The message warns people that it is a virus undetectable by anti-virus software.  Diligent users who search for the file and find it may presume the warning was accurate and delete it.


Standard anti-virus screens will not detect the warning e-mail itself, because it too is not a virus.  But if users comply with the message by deleting the file and forwarding the e-mail to others, the effect is similar.


The message begins, "FOLLOW THE INSTRUCTIONS, I HAD IT!!!!!  ...," according to Avert Labs, the anti-virus response division of anti-virus firm McAfee, which itself is a division of Network Associates.  "I received this message from a friend and today it is true.  I searched for the file following the next instruction and I found it, I had it without knowing," the warning continues, providing instructions for finding and deleting the file.


"We actually received this one two weeks ago, in Portuguese," said Joe Hartmann, director of North American virus research at Trend Micro.  "A couple of days ago we received a version in English with some more text, adding a date to it: June 1."


An earlier, real threat -- the Magistr worm -- infected the sulfnbk.exe file, adding to user confusion.  This e-mail hoax is unrelated to the earlier worm, which can be detected and destroyed by updated anti-virus software.


Instructions for restoring the deleted file may be found at:






"WE CANNOT HAVE A STABLE INTERNET ECONOMY while 13-year-old children are free to deny arbitrary Internet services with impunity." So says Steve Gibson, one of the most extraordinary hackers I've ever heard about. I've been reading his stuff for many years, when he was a columnist in Infoworld magazine, and back in the days when "hacker" had its original meaning: someone who "hacked" hardware and software to make it work better.  By reverse-engineering hard drives back in the days when 20 MB was big, he figured out that manufacturers often didn't set them up right.  He produced a nifty little utility called "SpinRite" that fixed them.


His latest Big Thing is Internet security.  He has a utility that you can run from his site to allow you to check whether your Internet connection is secure, or if YOUR COMPUTER is open to exploitation by anyone on the 'net.  Recently, his web site was wiped out for several days by a 13-year-old who unleashed a "denial of service" attack.  Why? Because the kid mistakenly thought Gibson had dissed him.  It's all written up on his web site.  It's somewhat technical, but it's MUST reading for anyone with a full-time connection to the 'net, anyone who wants to do business online, and every admin of every ISP in the world. Especially the last, since most big ISPs simply don't seem to CARE about the incredible rise in such attacks.  And even though YOUR computer might be used to launch the next one, especially if you have a cable modem, your ISP will likely NOT tell you that your machine has been compromised, or give you any help in stopping it from happening again.  It's up to you.


Gibson notes that the next version of Windows is going to make things MUCH worse.  And, he says, "The Internet's fundamental infrastructure MUST BE SECURED before the Net becomes further threatened by increasing levels of malicious attacks." I agree.  If you've understood any of this and have any interest, you'll find Gibson's page detailing the attack and how he tracked down the culprit very interesting.  If this sounds just too complicated, then just check YOUR computer through his security scanner to see whether or not you're vulnerable.  If his site is offline or slow, it probably means he's still being attacked for trying to make the 'net a better place.  Please try back later.


The hacker story:  http://grc.com/dos/grcdos.htm

Testing your own computer:  http://grc.com  and click on "Shields Up!"