By BILL HUSTED Cox News Service

ATLANTA -- He was just trying to help. My fishing lure was stuck on a snag. I was leaning over the side of a bass boat in the driving rain, wearing a plastic rainsuit, and my friend reached over to steady me. Instead, the push -- along with my rain-slick suit -- was enough to push me over the boat, head first, into the lake.

Applause came from a nearby boat as I sputtered to the surface.

Sometimes the worst thing your friends can do is help. And when it comes to computers and bass boats, the wrong kind of help can get you in over your head.

For instance, the other day a friend from the newspaper forwarded an e-mail and asked me whether the attachment contained a virus. I didn't open the attachment, and my anti-virus software detected the virus anyway. But it is just the sort of help I can do without.

Then there are the floods of hoax e-mails about viruses that don't exist. Maybe you've received one. They almost always come with text something like this:

"I don't usually forward these things, but the computer expert where I work says this is real and very dangerous."

Almost always the virus isn't real. But passing along the message still can be dangerous. Recently a hoax virus e-mail made the rounds, complete with directions for removing the virus. The recipient was told what to look for and instructed how to delete it.

Trouble is, the file was a legitimate one -- not a crucial one, thank goodness -- that is part of Windows.

I have become so used to these "helpful" e-mails that I might have ignored the whole thing. But Dave Puetz, the network administrator at Adtech Solutions in Alpharetta, Ga., wrote to suggest that I could make his e-mailbox a happier place. He's in the same boat as I, a person who gets a steady stream of these e-mails from friends.

"I, the same as you, am considered a 'computer expert' by friends, relatives, neighbors, pets, etc. Therefore, when these people get these e-mails, they either (intelligently) forward it to me and ask, 'Is this real?' or, more often, they (unintelligently) do the damage, THEN ask if it is real, or forward it to me as well as everyone else in their address books, so that I can 'tell all my computer buddies about this horrendous virus.'??t;p> What Puetz is saying is that forwarding such e-mail is, at best, an inconvenience to the person who receives it. Or, if the recipient doesn't know much about computers and sends the note on, that creates an ever-multiplying flood of stupid e-mail, passed on witlessly by well-meaning people. At worst, a well-constructed hoax e-mail can cause people to -- by following the directions -- do damage to their PCs.

"What is to stop an e-mail from circulating that tells them to boot into a safe mode DOS prompt and delete (critical files that your computer needs)? It is simplicity in itself, but man alive, do these things reel in the suckers. I thought your article would be the ideal forum to raise awareness to e-mail virus hoaxes and the damage they can do to e-mail servers, networks, etc."

Consider it done. It's a good idea, Dave.

Here are some things to do when you get your next e-mail warning of a virus.

First, don't automatically send along the e-mail.

Next, check Web sites such as http://securityresponse.symantec.com/avcenter/hoax.html  or http://www.hoaxbusters.ciac.org  or http://www.vmyths.com  . All these sites do their best to identify virus hoaxes. Odds are that one of these sites will help identify the e-mail hoax, if it is one.

Obviously you also want to have and use a good anti-virus program. I favor Norton Anti-Virus.

Once you have the program installed, make sure you update it regularly. Norton uses a system called "Live Update" that automatically checks for updates.

Because an anti-virus program finds viruses based on what the trade calls the "signature" -- the unique attributes of the tiny program that creates the virus -- your anti-virus program is useless unless it has the latest signatures.

If your anti-virus program is up to date, it almost certainly will find the virus and let you know. In the rare cases that a virus in an e-mail is real, you can feel easy about telling your friends if you like. However, even in those cases, keep in mind that many of us have been burned so many times that we may ignore the warning.

For those many times when you discover that the e-mail is a hoax, you can warn your friend that he's passing along bad information.

Stop him before he e-mails again.

The following web site has a regularly updated list of Hoaxes. Before you send anyone e-mail please check yours against this list.

When you go to this site click on one of the files listed for more information.

See the Example below the list of names.

When you receive an e-mail, your not sure of or sounds odd, even if it comes from someone you know.

Check it out before you react.

http://securityresponse.symantec.com/avcenter/hoax.html 

Symantec Security Response uncovers hoaxes on a regular basis. These hoaxes usually arrive in the form of an email. Please disregard the hoax e-mails - they contain bogus warnings usually intent only on frightening or misleading users. The best course of action is to merely delete these hoax e-mails. Please refer to this page whenever you receive what appears to be a bogus message regarding a new virus, or promotion that sounds too good to be true.

(just some of the list)

$800 from Microsoft

3b Trojan

AIDS

Antichrist

AOL4Free Virus

AOL and Intel

AOL.EXE

AOL Flashing IM

AOL RIOT 2 Virus

AOL Year 2000 Update

Baby New Year Virus

Bad Times

Be My Valentine

Be Spooked

Bicho7

Big Brother

Blue Mountain Virus

Blueballs Are Underrated Virus

BUDDYLST.ZIP

BUDSAVER.EXE

Budweiser

BUGGLST

California IBM

California Virus

CELLSAVER Virus

CLEANMGR.EXE Warning

D@Fit

Dana

Dear Friends

Death69

Deeyenda

Desi1love

Despite Virus

Discount Virus

DR.SIMON.WAJNTRAUBWS

E-Flu

eBook

Economic Slow Down

Elecciones 2000

EVIL THE CAT Virus

Family Pictures

FatCat Virus

Flashmaster G

Flower for You

Foot N Mouth Virus Warning

Forward

FREE M & M's

Free Money

Free Pizza Virus

FROGAPULT, ELFBOWL, Y2KGAME Virus

Gamma2.exe

GAP Email Tracking

Get More Money

Ghost

Gift from Microsoft

Girl Thing

Go Hip

Good Times

Guts to Say Jesus

Hacky Birthday Virus

Halloween Virus

Happy New Year Virus

Hello Dear

Hairy Palms Virus

Help Poor Dog

Hitler

How to Give a Cat a Colonic

INFILTER

Information on SARC 'Virus Test'

Irina

Irish Virus

Jan1st20.exe Virus

John Kennedy Jr Trojan

Join the Crew

Let's Watch TV

Londhouse Virus

Lotus Notes Worm

Lump of Coal Virus

Macdonald's Screensaver

Matrix Virus

Microsoft Virus

Millennium Time Bomb

MobilVirus

MOBILE PHONE

MusicPanel

NASTYFRIEND99

The New Ice Age

NEWYORK BIG DIRT

Norman Virus

Norton anti - virus v5

Osama vs Bush

Outback Steakhouse

Pandemic

Penpal Greetings

Perrin.exe Virus

Phantom Menace Virus

Pikachus Ball

Playboy Girls

Pluperfect

Red Alert

Returned or Unable to Deliver

Sandman

Sarc Virus Test

Scoutshacker

Simon Pugh

Slavemaster

South Park News Letter

SULFNBK.EXE Warning

Symantec ASDL Virus

Teletubbies

Time Bomb

Tuxissa

Upgrade Internet 2

Very Cool

Virtual Card for You Virus

Virtual Card Virus

Virus Business

Wait 48 Hours

Watching

WAZ UP

Win a Holiday

Windows will Fail on Jan 1

Wobbler Virus

Wooden Horse

WordScribe Virus

Work Virus

World Domination

WTC Survivor

Y2K7 Virus

Yellow Teletubbies

Zlatko

ZZ331 Virus

Example if you click on SULFNBK.EXE Warning. You will see the following:

SULFNBK.EXE Warning

Reported on: April 17, 2001

Last Updated on: December 26, 2001 at 10:45:22 AM PST

Symantec Security Response encourages you to ignore any messages regarding this hoax. It is harmless and is intended only to cause unwarranted concern.

Type: Hoax

Description:

The following hoax email was first reported in Brazil, and the original email was in Portuguese. Other language versions are in circulation. Currently, the English language versions are most common.

CAUTIONS:

This particular email message is a hoax. The file that is mentioned in the hoax, however, Sulfnbk.exe, is a Microsoft Windows 95/98/Me utility that is used to restore long file names, and like any .exe file, it can be infected by a virus that targets .exe files.

NOTE: The Sulfnbk.exe file is not required to run Windows. It may be necessary if you need to restore long file names if the file names become corrupted. For additional information, read the Microsoft Knowledge Base article Description of Sulfnbk.exe and How to Replace the Program File (Q301316)

The virus/worm W32.Magistr.24876@mm can arrive as an attachment named Sulfnbk.exe. The Sulfnbk.exe file used by Windows is located by default in the C:\Windows\Command folder.

NOTE: The C:\Windows\Command folder is the usual default location for this file. It is possible that if you have a custom installation, or a special configuration that was installed by the computer manufacturer, the file could be in a different location.

If the file is located in any other folder (except as noted), or arrives as an attachment to a email message, then it is possible that the file is infected. In this case, if a scan with the latest virus definitions and with NAV set to scan all files does not detect the file as being infected, quarantine and submit the file to SARC for analysis by following the instructions in the document How to submit a file to SARC using Scan and Deliver.

If you have deleted the Sulfnbk.exe file from the C:\Windows\Command folder and want to know how to restore the file, see the How to restore the Sulfnbk.exe file section at the end of this document.

English versions

NOTE: Several versions are shown, with the most recent ones shown first. Many more have been reported. All have the same basic theme.

Version 1

Hello! I just got this letter from my friend and yes I had the virus as well please follow the directions to see if you have the virus and then follow the directions to get rid of it. Like my friend I am sorry that I passed it along as well.

Dear All: We received a virus on a message. I followed the instructions below and found that it had been spread to our computer. I followed the instructions and located the virus and was able to delete it. The bad news is that you probably have it, as you are in My Address book! More bad news is that my anti virus program did not detect this virus. The virus lies dormant for 14 days and then "kills" your hard drive.

Here is what to do. If you follow the instructions and then see that you have the virus, you need to send a similar e-mail to everyone in your address book.

Remove the virus by following these steps:

1. Go to "Start." Then to "Find" or "Search".

2. In the "Search for files or folders" type sulfnbk.exe -- this is the name of the virus.

3. In the "Look in" section, make sure you are searching Drive C.

4. Hit "Search" or "Find".

5. If your search finds this file, it will be an ugly blackish icon that will have the name sulfnbk.exe. DO NOT OPEN IT! If it does not show up on your first "Search", try a "New Search."

6. Right click on the file -- go down to "Delete" and left click.

7. You will be asked if you want to send the file to the Recycling Bin -- say "Yes".

8. Go to your Desktop (where all your icons are) and right click on the Recycle Bin and either manually delete the sulfnbk.exe program or empty

the entire bin.

9. If you found the virus on your system, send this or a similar e-mail to all in your address book because this is how it is transferred.

Sorry for the trouble and my apologies for having unwittingly "infected" you. You'll want to check for this virus again for the next couple days

until everyone in your address book has seen it and deleted it, otherwise, being in their address book, your PC will get infected all

over again so don't forget to check!

Version 2

This is very real, and I may have passed it on to you. Check it out as below right now. Your drive may crash!!

"I had a virus which apparently attaches itself to everyone in my address book. I deleted it successfully. you may have it as well. Follow these instructions to see if you have it. It transfers to whomever is in your address book. It lies dormant for 14 days, then kills your hard drive. If you've got it send these instructions to everyone in you address book. Otherwise, it may be sent back to you by somebody else.

1. go to start-then to "find or search" 2. in the "search for files or folders" type in sulfnbk.exe - this is the name of the virus. 3. in the "look in" make sure you're searching drive C

4. hit "search" button ))or find_

5. if this file shows up (it's an ugly blackish icon that will have the name sulfnbk.exe) DON'T OPEN IT

6. right click on the file - go down to delete and left click

7. It will ask if you want to send it to the recycle bin - yes

8. go to your desktop (where all your icons are) and double-click on the recycle bin

9. right click on sulfnbk.exe and delete again or just empty the recycle bin

IF YOU FIND THIS.....SEND IT TO EVERYONE IN YOUR ADDRESS BOOK, BECAUSE THAT'S HOW IT IS TRANSFERRED.

Version 3

Do you believe that a friend of mine sent me an alert and the procedure that we have to follow for the possible infection of SULFNBK.EXE. And I had checked, just to make sure. An then... the file was there, hidden even of McAfee and Norton, maybe waiting something to start work.

Well, see bellow the procedure that I followed step by step, and I found the file:

1. Start/Find Folders. Type the file name: SULFNBK.EXE

2. If it find, open Windows Explorer, browse into the folder where the file is and delete it. Do not click with left button on the file and do not open it.

3. Just delete it

4. Mine was on Windows/Command

5. The virus from the person who gave the alert was on Windows/Config

Yes, Norton and McAfee do not detect it.

We do not know if it makes some damage on the machine, but I think that anybody will not want to test it to know, will it?

Folks, this is not fun, I deleted it from my computer.

And my definitions are updated.

Do the same, ok?

Version 4

This one has additional text stating that the virus will activate on June 1st.

It was brought to my attention yesterday that a virus is in circulation via email. I looked for it and to my surprise I found it on mine. ..

Please follow the directions and remove it from yours TODAY!!!!!!!

No Virus software can detect it. It will become active on June 1, 2001.

It might be too late by then. It wipes out all files and folders on

the hard drive. This virus travels thru E-mail and migrates to the

'C:\windows\command' folder.

The bad part is: You need to contact everyone you have sent ANY

E-mail to in the past few months. Many major companies have found this virus on

their computers. Please help your friends !!!!!!!!

DO NOT RELY ON YOUR ANTI-VIRUS SOFTWARE. McAFEE and NORTON CANNOT

DETECT IT BECAUSE IT DOES NOT BECOME A VIRUS UNTIL JUNE 1ST.

WHATEVER YOU DO, DO NOT OPEN THE FILE!!!

How to restore the Sulfnbk.exe file

If you have deleted this file, restoration is optional. Sulfnbk.exe is a Microsoft Windows utility that is used to restore long file names. It is not needed for normal system operation. If you want to restore it, there is more than one way to do this. See the information that follows.

NOTES:

The C:\Windows\Command folder is the usual default location for this file. It is possible that if you have a custom installation, or a special configuration that was installed by the computer manufacturer, the file could be in a different location.

The Sulfnbk.exe file is not required to run Windows. It may be necessary if you need to restore long file names if the file names become corrupted. For additional information, read the Microsoft Knowledge Base article Description of Sulfnbk.exe and How to Replace the Program File (Q301316)

The instructions in this document are provided for your convenience. The extraction of Windows files uses Microsoft programs and commands. Symantec does not provide warranty support for or assistance with Microsoft products. If you have any questions, please see your Windows documentation or contact Microsoft.

Windows Me

If you are using Windows Me, you can restore the file using the System Configuration Utility.

1. Click Start and then click Run.

2. Type msconfig and then press Enter.

3. Click Extract Files. The "Extract one file from installation disk" dialog box appears.

4. In the "Specify the system file you would like to restore" box, type the following, and then click Start:

c:\windows\command\sulfnbk.exe

NOTE: If you installed Windows to a different location, make the appropriate substitution.

The Extract File dialog box appears.

5. Next to the "Restore from" box, click Browse, and browse to the location of the Windows installation files. If they were copied to the hard drive, this is, by default, C:\Windows\Options\Install. You can also insert the Windows installation CD in the CD-ROM drive and browse to that location.

6. Click OK and follow the prompts.

Windows 98

If you are using Windows 98, you can restore the file using the System File Checker.

1. Click Start and then click Run.

2. Type sfc and then press Enter.

3. Click "Extract one file from installation disk."

4. In the "Specify the system file you would like to restore" box, type the following, and then click Start:

c:\windows\command\sulfnbk.exe

NOTE: If you installed Windows to a different location, make the appropriate substitution.

The Extract File dialog box appears.

5. Next to the "Restore from" box click Browse, and browse to the location of the Windows installation files. If they were copied to the hard drive, this is, by default, C:\Windows\Options\Cabs. You can also insert the Windows installation CD in the CD-ROM drive and browse to that location.

6. Click OK and follow the prompts.

Windows 95 (or alternative method for Windows 98/Me)

If you are using Windows 95, you need to use the extract command. This can also be used on Windows 98/Me.

1. Click Start, point to Find or Search, and then click Files or Folders.

2. Make sure that "Look in" is set to (C:) and that Include subfolders is checked.

3. In the "Named" or "Search for..." box, type:

precopy1

4. Click Find Now or Search Now. If it does not exist on the hard drive, then insert the Windows installation CD and repeat the search on that drive.

5. When you find the file, write down the location of Precopy1, for example, C:\Windows\Options\Cabs. This is your Source Path.

6. The general form of the Extract command is:

extract /a <Source Path>\precopy1.cab sulfnbk.exe /L c:\windows\command

NOTE: Make sure that you include the /a switch, as shown. Depending on your version of Windows, the Sulfnbk,exe file can be in a .cab file other than Precopy1.cab. By using the /a switch, the Extract program will look first in the Precopy1.cab, and if the file is not found there, it will look in all subsequent .cab files until it is found, and can be extracted.

So if the source path is C:\Windows\Options\Cabs, then the Extract command becomes:

extract /a c:\windows\options\cabs\precopy1.cab sulfnbk.exe /L c:\windows\command

NOTE: If you installed Windows to a different location, make the appropriate substitution.

7. Click Start and then click Run.

8. Type the following, making the appropriate substitutions as previously noted

extract /a <Source Path>\precopy1.cab sulfnbk.exe /L c:\windows\command

9. Click OK.

For more information on how to use the Microsoft Extract command, see the Microsoft Knowledge Base document, How to Extract Original Compressed Windows Files, Article ID: Q129605

Write-up by: Patrick Martin

© 1995-2001 Symantec Corporation.

All rights reserved.