The Mauritius Yellow Pages News - Possible Virus Warning SULFNBK.EXE

Mauritius News in French and English

Click here to make themyp.com your default homepage 

Tell a friend about this article

Posted to the web May 31, 2001

May 31, 2001 - Port Louis, Mauritius, Indian Ocean   

The following hoax email has been reported in Brazil. The original email is in Portuguese; but the English translation follows.

Translated English version of the hoax email:

Do you believe that a friend of mine sent me an alert and the procedure that we have to follow for the possible infection of SULFNBK.EXE. And I had checked, just to make sure. An then... the file was there, hidden even of McAfee and Norton, maybe waiting something to start work. Well, see bellow the procedure that I followed step by step, and I found the file:

1. Start/Find Folders. Type the file name: SULFNBK.EXE

2. If it find, open Windows Explorer, browse into the folder where the file is and delete it. Do not click with left button on the file and do not open it.

3. Just delete it

4. Mine was on Windows/Command

5. The virus from the person who gave the alert was on Windows/Config

Yes, Norton and McAfee do not detect it.

We do not know if it makes some damage on the machine, but I think that anybody will not want to test it to know, will it?

Folks, this is not fun, I deleted it from my computer.

And my definitions are updated.

Do the same, ok?

A new version of this hoax has additional text stating the virus will activate on June 1st:

It was brought to my attention yesterday that a virus is in circulation via email. I looked for it and to my surprise I found it on mine. ..

Please follow the directions and remove it from yours TODAY!!!!!!!

6. No Virus software can detect it. It will become active on June 1, 2001.

It might be too late by then. It wipes out all files and folders on

the hard drive. This virus travels thru E-mail and migrates to the

'C:\windows\command' folder.

The bad part is: You need to contact everyone you have sent ANY E-mail to in the past few months. Many major companies have found this virus on their computers. Please help your friends !!!

DO NOT RELY ON YOUR ANTI-VIRUS SOFTWARE. McAFEE and NORTON CANNOT DETECT IT BECAUSE IT DOES NOT BECOME A VIRUS UNTIL JUNE 1ST. WHATEVER YOU DO, DO NOT OPEN THE FILE!!!

CAUTION:

This particular email message is a hoax. The file that is mentioned in the hoax, however, Sulfnbk.exe, is a Microsoft Windows utility that is used to restore long file names, and like any .exe file, it can be infected by a virus that targets .exe files

The virus/worm W32.Magistr.24876@mm can arrive as an attachment named Sulfnbk.exe. The Sulfnbk.exe file is a Microsoft Windows utility that is used to restore long file names and is located in the C:\Windows\Command folder. If the file is located in any other folder, or arrives as an attachment to an email message, then it is possible that the file is infected. You will need to run your computer's anti-virus software and set it to scan all files to detect the virus

W32.Magistr.24876@mm is a virus that has email worm capability. It is also network aware. It infects Windows Portable Executable (PE) files, with the exception of .dll system files, and sends email messages to addresses that it gathers from the Outlook/Outlook Express mail folders (.dbx, .mbx), the sent items file from Netscape, and Windows address books (.wab), which are used by mail clients such as Microsoft Outlook and Microsoft Outlook Express. The email message may have up to two attachments, and it has a randomly generated subject line and message body.

The virus is also known as I-Worm.Magistr, PE_MAGISTR.A, W32.Magistr@mm,

and its threat rating, as disclosed by SYMANTEC.COM, is high for both damage and distribution (propagation) on systems.

When a file that is infected by W32.Magistr.24876@mm is executed, it searches in memory for a readable, writable, initialized section inside the memory space of Explorer.exe. If one is found, a 110-byte routine is inserted into that area, and the TranslateMessage function is hooked to point to that routine. This code first appeared in W32.Dengue. When the inserted code gains control, a thread is created and the original TranslateMessage function is called. The thread waits for three minutes before activating.

Then the virus obtains the name of the computer, converts it to a base64 string, and depending on the first character of the name, creates a file in either the \Windows folder, the \Program Files folder, or the root folder. This file contains certain information, such as the location of the email address books and the date of initial infection. Then it retrieves the current user's email name and address information from the registry (Outlook, Exchange, Internet Mail and News), or the Prefs.js file (Netscape). The virus keeps in its body a history of the 10 most recently infected users, and these names are visible in infected files when the virus is decrypted.

After this, the virus searches for the Sent file in the Netscape folder, and for .wab, .mbx, and .dbx files in the \Windows and \ProgramFiles folders.

If an active Internet connection exists, the virus searches for up to five .doc and .txt files and chooses a random number of words from one of these files. These words are used to construct the subject and message body of the email message. Then the virus searches for up to 20 .exe and .scr files smaller than 128 KB, infects one of these files, attaches the infected file to the new message, and sends this message to up to 100 people from the address books.

In addition there is a 20-percent chance that it will attach the file from which the subject and message body was taken, and an 80-percent chance that it will add the number 1 to the second character of the sender address. This last change prevents replies from being returned to you and possibly alerting you to the infection.

After the mailing is done, the virus searches for up to 20 .exe and .scr files, and infects one of these files. Then there is a 25-percent chance, if the Windows directory is named one of the following:

· Winnt

· Win95

· Win98

· Windows

that the virus will move the infected file into the \Windows folder and alter the file name slightly. Once the file is moved, a run= line is added to the Win.ini file to run the virus whenever the computer is started. In the other 75 percent of cases, the virus will create a registry subkey in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The name of this subkey is the name of the file without a suffix, and the value is the complete file name of the infected file. The virus then searches all local hard drives and all shared folders on the network for up to 20 .exe and .scr files to infect, and add the run= line if the \Windows folder exists in that location.

If the computer has been infected for one month and at least 100 people have been sent an infected file, and if at least three files contain at least three examples from the following list:

sentences you; sentences him; to sentence you; to ordered to prison; convict; judge; circuit judge; trial judge; found guilty; find him guilty; affirmed judgment of conviction; verdict guilty; plea trial; court trial; chamber sufficiency; of proof sufficiency; of the evidence proceedings; against the accused; habeas corpus

Then the virus will activate and do the following:

· Deletes the infected file

· Erases CMOS (Windows 9x/Me only)

· Erases the Flash BIOS (Windows 9x/Me only)

· Overwrites every 25th file with obscene text as many times as it will fit in the file

· Deletes every other file

· Displays an obscene message:

To remove this worm:

1. Make sure that you have the most recent virus definitions for the anti-virus software on your computer

2. Start anti-virus program, and run a full system scan, making sure your anti-virus program is set to scan all files.

3. If any files are detected as infected by W32.Magistr.24876@mm, choose the Repair of your anti-virus program.

NOTE: This virus contains bugs which will corrupt some files while attempting to infect them. These files cannot be repaired; they must be restored from backup.

If you have deleted the Sulfnbk.exe file from the C:\Windows\Command folder and want to know how to restore the file, you should contact Microsoft for assistance. You can check Microsoft's support site at www.microsoft.com\support for further information.

Windows 98 provides a tool called the System File Checker (SFC). Windows Millennium uses an option called Extract File located in the System Configuration Utility. Both utilities allow you to restore a file in Windows from your original CD or Windows install files.

Mauritius Yellow Page Archive | Interesting Mauritian Sites | Mauritian Sites | Mauritius News | Mauritius Yellow Pages Directory | Mauritius Top Sites | Mauritius What's New | World News | Top_Sites_in_Mauritius | Top_Mauritian_Sites_Archive | Top_20_Mauritian_Sites | The_Mauritius_Yellow_Pages_Archive | The_Mauritius_Yellow_Pages_Browsing_by_Category | sub | News_Archive | New_uploads | The_Mauritius_Yellow_Pages_Trademarks_Browse_by_Category_A-M | The_Mauritius_Yellow_Pages_Trademarks_Browse_by_Category_N-Z |  Mauritius_Residential_Telephone_Numbers

Mauritius Yellow Pages | Mauritius advertising | Mauritius Classifieds | Feedback | Mauritius Services | Mauritius Search | Features
Contact us | The Mauritius Yellow Pages

Ó Copyright Internet Services www.icsm.biz 2000 - 2005