Slow week spiced up by a virus hoax and media interest in new worms

SULFNBK.EXE hoax; Probable hype about new LoveLetter variant; 'Hacker challenges' cheap publicty but poor product tests?

It seems to have been a slow week. Only one Microsoft security bulletin, and even that was 'only' a revision of a relatively low-threat bulletin from last year. The SULFNBK.EXE virus hoax has certainly garnered much press coverage and it seems that more hype may be generated today over a LoveLetter variant that, as far as anyone can tell, was sent by its writer direct to one antivirus company who obligingly published an 'alert' because it had the potential to become widespread. Many other antivirus developers seem to feel compelled to jump on the same publicity bandwagon...

Virus News


It is impossible to know how many people have followed the bogus advice of this latest 'hoax' virus warning, but it seems to have been quite 'successful' in spreading round the globe, if the number of languages that it has ben translated or retold in is a reasonable metric of such 'success'. The interesting thing about this hoax is that its message is often passed on by someone writing their own version of the story, and as we all know from that primary school game, such activity leads to titillation and 'elaboration' beyond what was originally there.

The essence of the hoax warning message is the claim that the harmless standard Windows utility program SULFNBK.EXE contains a virus. Of course, this virus cannot be detected by antivirus software but unlike typical virus warning hoaxes, this one is not said to arrive in your e-mail. In fact, most versions of the story are very thin on details of how the reputed virus got to yor machine. So why has this bogus warning become so widespread?

FUD -- fear, uncertainty and doubt. Most forms of the message contain a simple description of using the standard Windows 'Find Files' Explorer applet to 'check whether you are already infected'. As most Windows 98 and ME users will find the file, this has high 'shock value' for those who do not immediately dismiss the message as being unauthoritative (and in many cases, the messge will have been received from friends who have 'saved' the victims of this message from such (non-existant) terrors as 'the Good Times virus', 'Budeweiser Frogs', 'It Takes Guts to Say "Jesus"' and so on...).

Much has been written about this 'hoax' in the last few days, and the increase in people asking about 'the SULFNBK.EXE virus' has skyrocketed. This is at least partly due to the fact that most recent versions of the 'descriptions' of this non-issue have added the feature that this 'virus' supposedly 'activates' (and in some accounts 'becomes a virus' -- that's why your antivirus software does detect it!) on 1 June.

OK -- you think you have all that clear? The copy of SULFNBK.EXE that has been lurking on millions of machines all round the globe since Windows 98 was released _is not a virus_.

But (you knew that was coming, right?), that does not mean _all_ files named SULFNBK.EXE are not viruses. Obviously, on a machine infected with a parasitic Windows executable infector, SULFNBK.EXE might be just as suitable an infection target as any or all other EXEs. And such a virus could, if its writer so wished, have been written to e-mail itself in one of those infected EXEs.

That is precisely what Win32/Magistr does, and because of the way it quasi-randomly chooses the EXE file to e-mail to its potential new victims, SULFNBK.EXE has a good chance of being that file. So,

regardless that the warning to delete any and all SULFNBK.EXE files on yor machine is seriously misguided, e-mail messages that arrive bearing copies of SULFNBK.EXE should definitely _not_ be considered 'safe' (as, in fact, should no messages bearing unexpected attachments).

And the fiinal twist? Magistr is quite buggy and sometimes none of the EXE files it chooses to e-mail are infected, so some of the SULFNBK.EXE files Magistr distributes will, in fact, not be infected with Magistr! (But you still wouldn't trust them, would you...)

- News article

- and Virus Myths commentaries:,

- Microsoft KnowledgeBase description of using SULFNBK.EXE:

- Various antivirus vendor descriptions:,,,

Probable hype about new LoveLetter variant

As 'press time' approaches for this issue of the newsletter, its compiler is seeing what appears to be the kind of spike in interest in a virus that suggests the virus will be mentioned in the general media by

the end of the day. The worrying thing about this is that the virus of interest is utterly insignificant.

Although a mass mailer and mass mailers have been the most successful and among the most widespread viruses of recent times, LoveLetter.CN has not been reported from a single, real-world infection incident despite first being 'alerted' on about 48 hours ago. Apart from the 'threat' of extensive global distribution because it is a mass mailer, this virus is likely to garner media attention because of its social egineering hook -- it suggests to recipients of the carrier messages that the attachment is a picture of a naked Jennifer Lopez. The attachment is named 'JENNIFERLOPEZ_NAKED.JPG.vbs'. As well as distributing copies of the virus to all addresses in all Outlook address lists, it drops and runs a small executable program infected with CIH.1019.A. Although all virus scanners have detected this second virus for close to three years now, it is not dropped until after the mass mail payload runs and is encoded inside the VBS file rather then also being an attachment to the message. These factors mean that the CIH virus will not be detected by antivirus software until after LoveLetter.CN's mass mailing has occurred, but at least active on-access ('monitor') type scanners should prevent the CIH-infected program from being run. Further, many scanners detect this new LoveLetter variant heuristically or generically, a its code is quite similar to the original LoveLetter virus.

Note: Many reports of this virus will incorrectly refer to it as LoveLetter.CM, including reports from the first two antivirus companies that posted 'alerts' about it.

Security News

Updated patch for HyperTerminal buffer overflow

In October last year, the newsletter reported on Microsoft security bulletin MS00-079 and the patch it offerred for a buffer overflow in HyperTerminal. A similar flaw has subsequently been discovered and fixed and added to the earlier patch, hence the update of the security bulletin to announce the updated patch.

[Remember, in 2000 the security bulletins were the 'old style' ones with a separate FAQ page, so two URLs for that...]

- Hilgraeve home page

- Microsoft security bulletin and FAQ

Buffer overflow exploit in Solaris yppasswdd

A remotely explotable buffer overflow has been reported in Solaris' yppasswdd and active exploits of this have been found in the wild. The original bugtraq report notes a couple of workarounds.

- Bugtraq thread

"Hacker challenges" cheap publicty but poor product tests?

An interesting article by David Raikow questions the real value of the not uncommon 'security tests' supposedly presented by increasingly popular 'hacker challenges'. He argues that such events have high publicity value but generally little else. When reading David's comments and imagining the hordes of mainly wannabe hackers 'chipping away' at the machine(s) in such challenges, the newsletter compiler couldn't help but recall the observation by Robert Wilensky of the University of California that:

We've heard that a million monkeys at a million keyboards could produce the Complete Works of Shakespeare; now, thanks to the Internet, we know this is not true.

- Raikow article

Join the newsletter!

Error: Please check your email address.

More about About.comMicrosoft

Show Comments