Worm sneaks ride with 1 June hoax
Published: 05 Jun 2001 08:44 BST
It sounds like the newest twist in a second-rate thriller: Just when you were lulled into thinking it was a harmless prank, the killer virus attacks!
A hoax e-mail warning people that their PCs might contain a virus duped an untold number of people into deleting the sulfnbk.exe file from their hard drives last week. But now some computer users are receiving another e-mail with "sulfnbk.exe" in the subject line--and this time it may actually contain a harmful virus.
People who have received the virus say that launching the attached application lets loose a worm that could do substantial harm to the user's computer and to the machines of everyone on their e-mail lists.
"My concern is that because of the original hoax, people will have their guard down where this file is concerned," a system administrator wrote in an e-mail message. The company's anti-virus software caught the worm on a worker's computer.
But antivirus experts say a prankster did not send computer users a hoax to lull them into an actual attack. The sulfnbk.exe file is safe and does not contain a virus. Instead, a second attachment in the same e-mail contains the harmful W32Magistr@MM virus.
The virus, dubbed "Magistrate," has a variety of official file names that include numbers before the @ symbol. First detected on 13 March, Magistrate files may also be named W32Magistr.24876@mm.
Most anitvirus software detects and destroys Magistrate before it harms users' computers, but letting Magistrate loose could have disastrous consequences. Security experts at Symantec rate it a four on a scale of one to five for its potential danger, which includes system crashes and the release of confidential information.
The self-propagating worm infects Windows files and sends itself to all addresses in the Outlook/Outlook Express e-mail folders, the "sent items" file from Netscape and the Windows address book. Although it picks random copy from infected users' hard drives, Symantec cautions that the virus could send confidential Microsoft Word documents to others on the user's e-mail list.
E-mail sent from machines infected with Magistrate may have up to two attachments, as well as randomly generated subject lines and message bodies.
The sulfnbk.exe hoax began at least a month ago and quickly spread around the world as computer users, on heightened alert after a slew of media reports regarding nasty viruses, passed e-mail warnings about the potential threat. Many people deleted sulfnbk.exe -- a Windows system file that helps identify long file names.
Magistrate-infected computers then received the well-intentioned warning and spammed others with e-mail. The randomly generated subject line reads "sulfnbk.exe" and includes the harmless sulfnbk.exe file. The other attachment is the Magistrate virus.
"Magistrate is a particularly nasty one," said Vincent Weafer, director of Symantec's antivirus research center. "It's definitely in the wild because we still get fairly constant reports of it."
Rob Rosenberger, editor of virus information site Vmyths.com , says the quick spread of the sulfnbk.exe hoax and the piggyback Magistrate virus reflects the complicated propagation of viruses, but it's also a simple indictment of security companies and the antivirus software they sell.
"People don't trust their antivirus software," Rosenberger said. "For years, we've been given antivirus software that regularly fails, and when it fails it fails spectacularly.
"People have been conditioned over the years that their antivirus software will fail. People trust their eyeballs more than they trust software, so when they see an e-mail from their friend warning of a virus, they believe it more than the software."
Confusion about which warnings are hoaxes and which are real could mount in the future as virus creators become more sophisticated. Microsoft called the sulfnbk.exe hoax an example of "social engineering," and experts agree that computer users may soon become the target of hackers who play sophisticated psychological games with computer users.
Symantec has already detected legitimate viruses sent after hoax viruses meant to lower computer users' guard. Rosenberger calls the increasingly common phenomenon "ex-post hoaxo."
"I've got a funny feeling that hoaxters are going to create more ex-post hoaxos," Rosenberger said. "It wouldn't be hard for somebody to write a worm that spreads itself as sulfnbk.exe. The e-mail can say, 'Hey Connie, in case you got duped by the hoax, go ahead and put this attachment in your Windows/command directory.'"
Is your PC safe? Find out in ZDNet UK's Viruses and Hacking News Section.
Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.
Let the editors know what you think in the Mailroom. And read other letters.
Did you find this article useful?
24 out of 38 people found this useful
- Share this article:
