Public Safety Canada
Symbol of the Government of Canada
Skip to content | Skip to institutional links

Common menu bar links | Liens de navigation communs

Skip Navigation Links Home > National security > Situational awareness > Identifying Virus Hoaxes

Institutional links

Identifying Virus Hoaxes

Information Note Number: IN02-001
11 January 2002

Purpose

In recent weeks OCIPEP has received several reports of virus hoaxes. Virus hoaxes are virus "warnings" about non-existent viruses and serve no purpose other than alarming people and deluding them into forwarding SPAM. Recently, some of the circulating hoaxes have been designed to trick users into corrupting their systems by following a detailed procedure which supposedly sanitises the system and removes the virus.

There are many virus hoaxes, and any given hoax can have multiple variations, however most share some of the following characteristics:

  • the e-mail is written to be alarmist;
  • the virus is highly destructive either on opening, or set to trigger at a later date;
  • the anti-virus vendors either are not aware of the virus or are unable to stop it;
  • a large or well known company is confirming the existence of the virus.

Sometimes there is a ring of truth to the virus hoax. Virus authors have been known to create legitimate viruses which mimic the details included in a virus hoax. Likewise a virus hoax could be written to be deliberately confused with a legitimate virus.

An example of a virus hoax which displays these characteristics is the SULFNBK hoax. This hoax has been circulating since April 2001, and has many variations in several different languages including Portuguese, English, French, Dutch, Danish, Spanish, German, and Italian. SULFNBK has been reported to OCIPEP multiple times in the last month. The hoax instructs the reader to search for a file called sulfnbk.exe. If the file is found, supposedly the system is infected with a destructive virus and the reader is instructed to delete the virus right away. In reality, sulfnbk.exe is a legitimate Windows utility used to display long filenames. Deleting the file can cause long filenames to be displayed as their eight character DOS names. The presence of sulfnbk.exe on a system does not imply the system is infected, rather, just as any other file on a system, there is a potential for infection or compromise of the file if it is targeted by a legitimate virus. For example, there is a variant of the Magistr virus, which spreads using an attachment called sulfnbk.exe, yet following the hoax instructions will eliminate the file whether it is infected or not. Anti-virus scanners with updated signature files will detect this variant of Magistr virus.

An example of the SULFNBK hoax which was recently reported to OCIPEP is the following (only English variants have been reported):

Subject: VIRUS ALERT

ATTENTION:
There is a virus going around that is transmitted automatically via addressbooks. Because I have your address you might have the virus as it was sent to me by someone in my address book. The virus is not detected by McAfee or Norton, and it lies dormant for 14 days then it closes down your entire system!

The attached letter is a simple yet effective method of finding and deleting the virus before it can do you any harm. Please act PROMPTLY.

  1. Go to START the to FIND OR SEARCH (depending on your computer)
  2. In the search for files or folders type in: sulfnbk.exe this is the virus.
  3. In the look in make sure you're searching Drive C.
  4. Hit search button (or find)
  5. If this file shows up (it's an ugly blackish icon that will have the name sulfnbk.exe. DO NOT OPEN IT
  6. Right click on the file - go down to delete and left click.
  7. It will ask you if you want to send it to the recycle bin, say yes.
  8. Go to your desktop (where all your icons are) and double click on the recycle bin.
  9. Right click on sulfnbk.exe and delete again or empty the bin.

If you find it, send this email to all in your address book, because that's how it's transferred.

Examples in other languages, as well as further details about the SULFNBK hoax can be found at:
Symantec.com
http://vil.nai.com

Suggested Action

When dealing with a legitimate virus warning, corporate users should contact their local help desk or computer support personnel, and not attempt to implement any patches without assistance. Home users should use an automated virus cleaning program, if available from the anti-virus vendor, in order to repair infected systems. If an automated tool is not available, refer to an anti-virus site for instructions on a manual removal.

If an unsolicited e-mail warning about a new virus is received, the validity of the message should always be verified as to whether it is a hoax or not. If the e-mail is a hoax, or if there is doubt as to its authenticity, do not forward the message and do not attempt to execute any procedures or attachments.

Many anti-virus vendors maintain a list of known hoaxes. Several good references are:
Symantec.com
Canada-av.com (choose "hoaxes" from the menu)
http://vil.nai.com

Searching for keywords (for example "sulfnbk.exe") on anti-virus sites will often help locate information about hoax viruses as well.

top of page

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca

Date Modified: 2008-12-08
Top of Page
Top of Page
Important Notices