The Story of the sulfnbk.exe Hoax Virus (Not to be confused with the Honor System virus...) Downloaded from the Net A sulfnbk.exe virus alert surfaced in April 2001. The basic alert achieved immense popularity with gullible users by late-May 2001. Antivirus vendors declared it a hoax for the most part -- but Vmyths.com categorizes it as a mass-hysteria urban legend. Clueless people kept rewriting the sulfnbk.exe alert. They didn't seem content to forward the warning they received... Let's begin with a plausible scenario of how the sulfnbk.exe hysteria began. Based on readers' input to our HoaxFYI service, here's what we think really happened: Someone's PC got infected with the well-known Magistr worm/virus. It forwarded itself to others as an attachment in emails. One of those emails went out with an attachment named SULFNBK.EXE. A recipient detected the virus with antivirus software. The recipient searched his PC for "sulfnbk.exe" -- and he found it. (It's a standard Windows operating system file.) Yet, try as he might, he couldn't get his antivirus software to detect a virus in that file. So he deleted it from his PC. The well-meaning recipient sent a warning to his colleagues telling them how to search for the evil file. Another well-meaning user received the warning, found the "virus" on his own system, and sent a warning of his own. Another well-meaning user received that warning, found the "virus" on his own system, and sent a warning of his own. Another well-meaning user received that warning... Many well-meaning users fell prey to False Authority Syndrome when they "detected" SULFNBK.EXE on their computers. The alert took on numerous forms in numerous languages -- because so many clueless people kept rewriting the alert. They didn't seem content to just forward the original warning they received... McAfee confirms sulfnbk.exe warnings appeared in English, Spanish, Portuguese, Dutch, and Italian. Vmyths.com saw French and German versions, and we believe well-meaning users translated the warnings from one language to another. (Caveat: based on readers' input to our HoaxFYI service, Vmyths.com believes one of the more popular English variants derived from McAfee's website.) The sulfnbk.exe alert reached critical mass in late-May 2001, and concerned users quickly made it one of the Top 50 search phrases on Lycos. Lycos pundit Aaron Schatz reported "searches for the virus [began] about five weeks ago and in the last two weeks have gone up an obscene 1410 percent." Lycos listed it as the #2 search phrase for the week ending 2 June 2001. Did you get duped? Did you delete the file? Why did this urban legend turn so quickly into mass hysteria? Consider the following: The basic chain letter identifies an obscure file found on tens of millions of PCs -- and it offers simple instructions on how to find the file in question. The file's associated icon looks childish, giving the impression an immature hacker drew it. Some variants warned the virus would activate on "May 25," thereby giving the chain letter a heightened sense of urgency. Later variants warned the virus would activate on 1 June. Gullible users assumed they found a dangerous virus -- simply because they found a file on their PC. They then fell victim to False Authority Syndrome. (Vmyths.com surmises the 25 May & 1 June dates likewise devolved from gullible users who suffer from False Authority Syndrome.) Many variants of the chain letter urged people to forward the alert as part of an apology letter: "if you detect the virus you in turn need to contact everyone you have send [sic] ANY email to in the past few months and share this waring [sic] with them." One woman obediently wrote to her friends, "I am sorry if Sulfnbk is on your computer..." A man wrote to his colleagues, "I maight [sic] have unwittingly been spreading a virus via email..." These apology letters only added to the confusion, which added to the hysteria's success. Mary Landesman (antivirus.about.com) summed it up quite nicely: "hoaxes survive simply by causing confusion." And the sulfnbk.exe hysteria did an excellent job at causing confusion. The hysteria probably also erupted for another set of reasons. Consider the following: Antivirus software regularly fails to detect newly discovered viruses. Examples include Melissa, ExploreZip, MiniZip, BubbleBoy, ILoveYou, NewLove, KillerResume, Kournikova, and NakedWife. When antivirus software fails, it fails spectacularly. Examples include all the end-of-the-world stories about Melissa, ILoveYou, and Kournikova. Customers buy antivirus software knowing it will fail spectacularly. So you're staring at a file on your PC. It's SULFNBK.EXE, just like your podiatrist's secretary warned. Your antivirus software says "everything's cool," but it said the same thing when Melissa & ILoveYou struck. What would you do in this situation? It looks like people overwhelmingly trusted their eyeballs more than their antivirus software. Vmyths.com repeats -- the basic sulfnbk.exe alert shows all the markers of an urban legend, not a "hoax." We've seen this type of mass hysteria before and we'll probably see it again. The correct translation If we translate the sulfnbk.exe chain letter for the real world, it would read as follows: I went to the place where I work, and I shouted, and guess what? I got a response. Creepy! I reloaded twice just to be sure. Trust me, you need to follow these instructions. Go to the place where you work. Shout out, 'can anyone hear me?' If you get a response, shoot to kill -- it's a homicidal maniac! Well, actually, he's not a maniac yet. That's why the police can't help you. But he'll turn into a homicidal maniac on June 1. Shoot him! Do it right now! Better safe than sorry! Good news: you killed the homicidal maniac. Bad news: everyone you spoke to in the last few months now has a homicidal maniac at work. Warn all of your friends! - o -