Buggy McAfee update slams Windows XP PCs

By Broni
Apr 21, 2010
Topic Status:
Not open for further replies.
  1. http://isc.sans.org/diary.html?storyid=8656

    McAfee's "DAT" file version 5958 is causing widespread problems with Windows XP SP3. The affected systems will enter a reboot loop and loose all network access. We have individual reports of other versions of Windows being affected as well. However, only particular configurations of these versions appear affected. The bad DAT file may infect individual workstations as well as workstations connected to a domain. The use of "ePolicyOrchestrator", which is used to update virus definitions across a network, appears to have lead to a faster spread of the bad DAT file. The ePolicyOrchestrator is used to update "DAT" files throughout enterprises. It can not be used to undo this bad signature because affected system will lose network connectivity.

    The problem is a false positive which identifies a regular Windows binary, "svchost.exe", as "W32/Wecorl.a", a virus. If you are affected, you will see a message like:

    The file C:WINDOWSsystem32svchost.exe contains the W32/Wecorl.a Virus.
    Undetermined clean error, OAS denied access and continued.
    Detected using Scan engine version 5400.1158 DAT version 5958.0000.

    McAfee released an updated DAT file, and an "EXTRA.DAT" file to fix the problem. An EXTRA.DAT file is a patch to just fix the bad signature. McAfee's support web sites currently respond slowly and are down at times, likely due to the increased load caused by this issue.

    Several readers reported that this procedure worked to recover:

    1 - Boot the system in "Safe Mode"
    2 - copy extra.dat in c:/program files/common files/mcafee/engine
    3 - reboot.

    If you lost "svchost.exe", then you need to copy it back to c:/Windows/system32/svchost.exe while in safe mode. This fix has to be applied locally at the workstation. However, it may be possible to do this remotely if your workstations support Intel's "vPro" technology. We should have a link to instructions shortly.

    Additional information from McAfee: http://community.mcafee.com/thread/24056?tstart=0
    McAfee Knowledgebase Article: https://kc.mcafee.com/corporate/index?page=content&id=KB68780
    EXTRA.DAT file: http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=265240.
  2. Route44

    Route44 TechSpot Ambassador Posts: 12,109   +21

    Thanks for this Broni. I know several people who run XP3 with McAfee.

    Danger Will Robinson!
  3. Broni

    Broni Malware Annihilator Topic Starter Posts: 45,226   +243

    Roughly half of all new computers has that THING preinstalled :)
  4. LNCPapa

    LNCPapa TS Special Forces Posts: 4,199   +229

    Unfortunately I got seriously slammed by this today at work.
  5. Broni

    Broni Malware Annihilator Topic Starter Posts: 45,226   +243

    Did you recover?
  6. Route44

    Route44 TechSpot Ambassador Posts: 12,109   +21

    Ouch! Where are you at in the process?
  7. LNCPapa

    LNCPapa TS Special Forces Posts: 4,199   +229

    We're pretty much all recovered now. Good thing is McAfee blocked the dat file pretty quickly and then pushed out 5959 before the end of the day. We only had to fix the machines that happened to update during that period yesterday. Couple hundred machines max. Before 5959 came out we were provided with an extra.dat by McAfee to get some of those machines back up and running.
  8. Route44

    Route44 TechSpot Ambassador Posts: 12,109   +21

    it pays to have tech knowledge/training.

    I feel sorry for all the regular customers out there who have McAfee and the extent of their tech knowledge is the power on switch, using a mouse, and running Office and playing games.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.