SULFNBK: Virus or hoax... or both?

December 20, 2001 Sophos Press Release

Sophos has received a large number of calls from users concerned about a virus known as SULFNBK or SULFNBK.EXE.

There is a warning message being distributed around the net (in various languages) telling users to search their hard drives for a file called SULFNBK.EXE. If they find it - the warning tells them - delete it because it is infected by a virus which may trigger on 1 June (other versions say 25 May).

Sophos advises users to treat the warning with scepticism.

Many computers do have a legitimate uninfected version of SULFNBK.EXE on them because it is a program which comes with Windows 95/98 to backup and restore long filenames. Deleting the file may in fact cause your computer system serious problems.

The confusion is compounded, however, by the W32/Magistr-A virus which is capable of emailing infected copies of SULFNBK.EXE to innocent users. This is probably how the scare started.

Sophos offers users confused by the hoax warning and the virus, the following advice:

  1. If you receive an unsolicited executable file in your email (such as SULFNBK.EXE), simply delete the email. You should never launch or open unsolicited executable code on your computer.
  2. Existence of a file called SULFNBK.EXE on your hard drive is not evidence in itself of a virus infection. The best way to check for a virus infection is with anti-virus software.
  3. Run a quality anti-virus product and keep it updated to protect against the latest threats.
  4. Do not pass on virus warnings to all of your friends. Instead, check the facts at an anti-virus website, or forward the warning to the person in your company who is responsible for virus protection so they can decide if it is valid.
  5. Consider adding Sophos's free hoax information feed to your website and intranet to keep your users informed about the latest virus hoaxes spreading across the internet.