The e-mail, which was originally written in Portugese and was reported to be doing the rounds in Brazil last month, has now been translated and appears to be appearing throughout the UK, advising people to delete a harmless Microsoft Windows utility--called sulfnbk.exe--from their hard disks.
Antivirus experts were quick to point out that the e-mail does not contain a worm, and is being passed around simply by well-meaning people alarmed at its contents.
"This is social engineering on a grand scale," said Symantec spokesperson Lucy Bunker. "Whereas e-mail worms mass mail themselves and cause destruction, this hoax message simply asks you to mass mail it yourself, and then delete the information on your computer. In essence, you're doing the work of a destructive virus yourself."
The hoax message indicates that the virus was found on every PC in somebody's office, and that it was not detectable with virus software. In fact, the file is on every PC that has Windows installed, and is not detected by antivirus software because it is not--and does not normally contain--a virus.
"The file that people are being asked to delete is a legitimate file that is part of the Windows operating system," said Bunker. "We are working with Microsoft to find out what people should do if they have deleted this file; it is a useful file and you shouldn't delete it."
Sulfnbk.exe is a Microsoft Windows utility that is used to restore long file names, according to Symantec, and deleting it could cause that feature to cease working properly.
Bunker said that Symantec received a handful of enquiries about the e-mail message yesterday, and more today--probably triggered by the warning that the virus would activate on 1 June, she said. An earlier variant warned that the virus would activate on 25 May.
Experts believe the propagation of the Sulfnbk.exe e-mail is caused mainly by confusion. Vmyths.com, a Web site that debunks spurious virus warnings, said the confusion may have been heightened by the fact that e-mails were surfacing that contained a copy of the Sulfnbk.exe file that was infected with a virus. But this virus, called W32.Magistr.24876@mm, is well-known and easily removed with any good antivirus software.
Vmyths.com believes the new e-mail was begun by somebody who was forwarded a message by a colleague whose PC did actually have the Magistr worm. This person, suggests the site, searched for the Sulfnbk.exe file, found and deleted it (after discovering that antivirus software failed to recognize the file), and sent out a warning to other users. The site calls this the "False Authority Syndrome".
Symantec's Bunker said there are several easy clues to detect bogus virus warnings. "Anything that has lots of capital letters saying things like VIRUS WARNING should be treated with scepticism," said Bunker. Also, phrases warning that a supposed virus will absolutely destroy everything on a hard disk should be taken with a pinch of salt, as should those suggesting there is no known fix.
"Hoax e-mails also often attribute information to MSN, AOL, Microsoft, CNN to give them credibility," Bunker added, "but these companies don't usually issue virus warnings."
The hoax e-mail reads as follows:
"URGENT. A VIRUS could be in your computer files now, laying dormant but will become active on June 1, 2001."
"FOLLOW DIRECTIONS BELOW TO CHECK IF YOU HAVE IT AND HOW TO REMOVE IT NOW."
"It was brought to my attention that this virus is in circulation via e-mail. I looked for it and to my surprise I found it on my computer as well as everyone else's in my office. Please follow the directions and remove it from yours TODAY!!!!!!!"
"Virus software cannot detect it. It will become active on June 1, 2001 and it might be too late by then. It wipes out all files and folders on the hard drive. This virus travels thru e-mail and migrates to the 'C:windowscommand' folder. To find it and get rid of it off of your computer, do the following:"
The e-mail then goes on to give a detailed list of instructions on how to delete the sulfbnk.exe file, and continues:
"The bad part is: You need to contact everyone you have sent ANY e-mail to in the past few months. Many major companies have found this virus on their computers. Please help your friends !!!!!!!!"
"--DO NOT RELY ON YOUR ANTIVIRUS SOFTWARE. McAFEE and NORTON CANNOT
-- DETECT IT BECAUSE IT DOES NOT BECOME A VIRUS UNTIL JUNE 1ST.
-- WHATEVER YOU DO, DO NOT OPEN THE FILE!!!"