[ISN] Real virus piggybacks on e-mail hoax

From: InfoSec News (isnat_private)
Date: Mon Jun 04 2001 - 16:12:40 PDT

  • Next message: InfoSec News: "[ISN] Is Military Hiding Hacks?"

    By Rachel Konrad
    Staff Writer, CNET News.com 
    June 4, 2001, 1:55 p.m. PT 
    It sounds like the newest twist in a second-rate thriller: Just when
    you were lulled into thinking it was a harmless prank, the killer
    virus attacks!
    A hoax e-mail warning people that their PCs might contain a virus
    duped an untold number of people into deleting the sulfnbk.exe file
    from their hard drives last week. But now some computer users are
    receiving another e-mail with "sulfnbk.exe" in the subject line--and
    this time it may actually contain a harmful virus.
    People who have received the virus say that launching the attached
    application lets loose a worm that could do substantial harm to the
    user's computer and to the machines of everyone on their e-mail lists.  
    "My concern is that because of the original hoax, people will have
    their guard down where this file is concerned," a system administrator
    wrote in an e-mail message. The company's anti-virus software caught
    the worm on a worker's computer.
    But antivirus experts say a prankster did not send computer users a
    hoax to lull them into an actual attack. The sulfnbk.exe file is safe
    and does not contain a virus. Instead, a second attachment in the same
    e-mail contains the harmful W32Magistr@MM virus.
    The virus, dubbed "Magistrate," has a variety of official file names
    that include numbers before the @ symbol. First detected March 13,
    Magistrate files may also be named W32Magistr.24876@mm.
    Most anitvirus software detects and destroys Magistrate before it
    harms users' computers, but letting Magistrate loose could have
    disastrous consequences. Security experts at Symantec rate it a four
    on a scale of 1-5 for its potential danger, which includes system
    crashes and the release of confidential information.
    The self-propagating worm infects Windows files and sends itself to
    all addresses in the Outlook/Outlook Express e-mail folders, the "sent
    items" file from Netscape and the Windows address book. Although it
    picks random copy from infected users' hard drives, Symantec cautions
    that the virus could send confidential Microsoft Word documents to
    others on the user's e-mail list.
    E-mail sent from machines infected with Magistrate may have up to two
    attachments, as well as randomly generated subject lines and message
    The sulfnbk.exe hoax began at least a month ago and quickly spread
    around the world as computer users, on heightened alert after a slew
    of media reports regarding nasty viruses, passed e-mail warnings about
    the potential threat. Many people deleted sulfnbk.exe--a Windows
    system file that helps identify long file names.
    Magistrate-infected computers then received the well-intentioned
    warning and spammed others with e-mail. The randomly generated subject
    line reads "sulfnbk.exe" and includes the harmless sulfnbk.exe file.
    The other attachment is the Magistrate virus.
    "Magistrate is a particularly nasty one," said Vincent Weafer,
    director of Symantec's antivirus research center. "It's definitely in
    the wild because we still get fairly constant reports of it."
    Rob Rosenberger, editor of virus information site Vmyths.com, says the
    quick spread of the sulfnbk.exe hoax and the piggyback Magistrate
    virus reflects the complicated propagation of viruses, but it's also a
    simple indictment of security companies and the antivirus software
    they sell.
    "People don't trust their antivirus software," Rosenberger said. "For
    years, we've been given antivirus software that regularly fails, and
    when it fails it fails spectacularly.
    "People have been conditioned over the years that their antivirus
    software will fail. People trust their eyeballs more than they trust
    software, so when they see an e-mail from their friend warning of a
    virus, they believe it more than the software."
    Confusion about which warnings are hoaxes and which are real could
    mount in the future as virus creators become more sophisticated.
    Microsoft called the sulfnbk.exe hoax an example of "social
    engineering," and experts agree that computer users may soon become
    the target of hackers who play sophisticated psychological games with
    computer users.
    Symantec has already detected legitimate viruses sent after hoax
    viruses meant to lower computer users' guard. Rosenberger calls the
    increasingly common phenomenon "ex-post hoaxo."
    "I've got a funny feeling that hoaxters are going to create more
    ex-post hoaxos," Rosenberger said. "It wouldn't be hard for somebody
    to write a worm that spreads itself as sulfnbk.exe. The e-mail can
    say, 'Hey Connie, in case you got duped by the hoax, go ahead and put
    this attachment in your Windows/command directory.'"
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 07:02:00 PDT