Information Security News
mailing list archives
Real virus piggybacks on e-mail hoax
From: InfoSec News <isn () c4i org>
Date: Mon, 4 Jun 2001 18:12:40 -0500 (CDT)
By Rachel Konrad
Staff Writer, CNET News.com
June 4, 2001, 1:55 p.m. PT
It sounds like the newest twist in a second-rate thriller: Just when
you were lulled into thinking it was a harmless prank, the killer
A hoax e-mail warning people that their PCs might contain a virus
duped an untold number of people into deleting the sulfnbk.exe file
from their hard drives last week. But now some computer users are
receiving another e-mail with "sulfnbk.exe" in the subject line--and
this time it may actually contain a harmful virus.
People who have received the virus say that launching the attached
application lets loose a worm that could do substantial harm to the
user's computer and to the machines of everyone on their e-mail lists.
"My concern is that because of the original hoax, people will have
their guard down where this file is concerned," a system administrator
wrote in an e-mail message. The company's anti-virus software caught
the worm on a worker's computer.
But antivirus experts say a prankster did not send computer users a
hoax to lull them into an actual attack. The sulfnbk.exe file is safe
and does not contain a virus. Instead, a second attachment in the same
e-mail contains the harmful W32Magistr () MM virus.
The virus, dubbed "Magistrate," has a variety of official file names
that include numbers before the @ symbol. First detected March 13,
Magistrate files may also be named W32Magistr.24876 () mm
Most anitvirus software detects and destroys Magistrate before it
harms users' computers, but letting Magistrate loose could have
disastrous consequences. Security experts at Symantec rate it a four
on a scale of 1-5 for its potential danger, which includes system
crashes and the release of confidential information.
The self-propagating worm infects Windows files and sends itself to
all addresses in the Outlook/Outlook Express e-mail folders, the "sent
items" file from Netscape and the Windows address book. Although it
picks random copy from infected users' hard drives, Symantec cautions
that the virus could send confidential Microsoft Word documents to
others on the user's e-mail list.
E-mail sent from machines infected with Magistrate may have up to two
attachments, as well as randomly generated subject lines and message
The sulfnbk.exe hoax began at least a month ago and quickly spread
around the world as computer users, on heightened alert after a slew
of media reports regarding nasty viruses, passed e-mail warnings about
the potential threat. Many people deleted sulfnbk.exe--a Windows
system file that helps identify long file names.
Magistrate-infected computers then received the well-intentioned
warning and spammed others with e-mail. The randomly generated subject
line reads "sulfnbk.exe" and includes the harmless sulfnbk.exe file.
The other attachment is the Magistrate virus.
"Magistrate is a particularly nasty one," said Vincent Weafer,
director of Symantec's antivirus research center. "It's definitely in
the wild because we still get fairly constant reports of it."
Rob Rosenberger, editor of virus information site Vmyths.com, says the
quick spread of the sulfnbk.exe hoax and the piggyback Magistrate
virus reflects the complicated propagation of viruses, but it's also a
simple indictment of security companies and the antivirus software
"People don't trust their antivirus software," Rosenberger said. "For
years, we've been given antivirus software that regularly fails, and
when it fails it fails spectacularly.
"People have been conditioned over the years that their antivirus
software will fail. People trust their eyeballs more than they trust
software, so when they see an e-mail from their friend warning of a
virus, they believe it more than the software."
Confusion about which warnings are hoaxes and which are real could
mount in the future as virus creators become more sophisticated.
Microsoft called the sulfnbk.exe hoax an example of "social
engineering," and experts agree that computer users may soon become
the target of hackers who play sophisticated psychological games with
Symantec has already detected legitimate viruses sent after hoax
viruses meant to lower computer users' guard. Rosenberger calls the
increasingly common phenomenon "ex-post hoaxo."
"I've got a funny feeling that hoaxters are going to create more
ex-post hoaxos," Rosenberger said. "It wouldn't be hard for somebody
to write a worm that spreads itself as sulfnbk.exe. The e-mail can
say, 'Hey Connie, in case you got duped by the hoax, go ahead and put
this attachment in your Windows/command directory.'"
ISN is hosted by SecurityFocus.com
To unsubscribe email isn-unsubscribe () SecurityFocus com
- Real virus piggybacks on e-mail hoax InfoSec News (Jun 05)