Wednesday, 21 April 2010

Many users of McAfee's virus scanning products are experiencing some real pain today due to a false positive virus alert (for the wecorl.a virus) that is resulting in dcom error reboots and in many cases the removal of the valid Windows svchost.exe from affected systems.

Despite a massive slew of articles and posts made on web sites today saying a new virus is in the wild and infecting computers (typically referring to this is a zero-day vulnerability), this is not in fact a virus outbreak, as anyone who knows how to use Google and has a remotely curious mind can discover in a matter of seconds. It’s an antivirus false-positive. The wecorl.a trojan is a couple years old, and this is not it. Even if it was a virus, it would not be zero-day.

In a nutshell, McAfee made a big mess with their AV update early this morning, and they are working feverishly to fix it. Read on.

First of all, if you're affected by the problem described below, information about a workaround fix and an update is available from McAfee at the McAfee Threat Center web site:

One of my own computers fell victim to this today, and I've been fighting with it since. I just got it back online, restored to normal and fully operational. My problem started at about 7am today and so I was figuring it out on my own, but the instructions McAfee has provided for the workaround/fix (linked above) are basically the same thing.

wecorl A DAT (virus definition 5958) file that appears was released earlier today has an issue that causes the valid Microsoft svchost.exe critical system file to be flagged as infected. It's not infected, though. This appears to impact primarily Windows XP SP3 computers, but it could be broader than that. As a result of the false flagging of the file, the McAfee AV software takes action, which can include doing nothing, quarantining the file, or in some cases removing it completely (that's what happened to mine).

If the file is quarantined or deleted, Windows stops working normally and a lot of the typical Windows functionality just isn't there anymore. Things like start menus, drag and drop capabilities, copy and paste in Explorer, and a whole lot more. You can still open Task Manager and launch new tasks manually, and the CMD window interface (command line shell) works just like always, so it's possible to get around to fix it up.

If you are running McAfee Virus Scan and have a signature file version 5958 (open the "about" dialog and look for the DAT version), then it appears you are affected. Rolling back to 5957.0000 (which was issued 4/20) will resolve the issue. There is also an "extra.dat" file available that can be dropped into the McAfee AV scanner's DAT directory while in safe mode, and then the computer should be restarted. Or if you're a business using EPO to centrally manage your AV system, you can push it out with that.

But if your svchost.exe file has been quarantined or deleted, you'll have to do some hands-on repair (at east for now, until a better solution is put together). The link at the top of this article walks you through what's needed.

This is a serious challenge today for McAfee. Their web sites appear to be badly overloaded and I have friends in the business who are waiting on hold with McAfee for extended periods on time. In speaking with people working at other (huge) companies, it's apparent the impact is huge and widespread. Thousands of people who should be working are dead in the water now, so to speak, with no computer to do their work on.

I hate to think what the financial impact of this is. It's got to be huge. Follow the link above and check it for updates from McAfee as time goes on.

Add/Read: Comments [1]
IT Security | Tech
Wednesday, 21 April 2010 12:07:18 (Pacific Standard Time, UTC-08:00)
#  Trackback

Referred by: [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral]

Thursday, 22 April 2010 05:01:38 (Pacific Standard Time, UTC-08:00)
Hi Greg - yep, our company got hammered by this yesterday, and we had it pop up at home as well. Wheeee!
Comments are closed.