14 DAY TRIAL // Customers running Windows XP Service Pack 3 and McAfee security solutions in concert have been left scrambling to restore their computers after an issue involving a specific Virus Definition (DAT) file version caused a false positive detection of the w32/wecorl.a virus. The problems are generated by v.5958 of the McAfee DAT file, released on April 21, 2010, and that managed to crash (with a Blue Screen error) and render machines unbootable by deleting or quarantining the critical Windows svchost.exe file. Essentially, an erroneous detection routing that sneaked into the malware definitions update for McAfee security products causes the detection of the W32/wecorl.a virus in the Svchost.exe process. This is nothing more than a false positive error, since there is nothing wrong with Svchost.exe.
“When this false positive occurs, the Svchost.exe process may be quarantined or removed, depending on the software configuration. This behavior may cause one of the following issues: the computer shuts down when a DCOM error or a RPC error occurs; the computer continues to run without network connectivity; the computer triggers a Bugcheck,” Microsoft explained.
At the time of this article, the w32/wecorl.a McAfee false positives had been confirmed to affect only Windows XP SP3 platforms. Neither Microsoft nor McAfee indicated that any other Windows operating systems could be impacted by the issue. At the same time, the buggy DAT file has already been replaced by version 5959. The superseding DAT file is designed to resolve the false positive detection. McAfee also took the measure to make available an EXTRA.DAT file set up to help customers deal with the false detection problems if they had already deployed the 5958 DAT file.
Microsoft detailed a workaround to help XP SP3 users resolve the problem manually:
“Restart the computer in safe mode by pressing F8 before the Windows splash screen appears. Log on to the computer. Then, press CTRL+ALT+DEL, and then click Start Windows Task Manager. Select New Task (Run…) from the File menu. Type cmd.exe, and then press ENTER. Run the following command: ren “%programfiles%\Common Files\McAfee\Engine\avvscan.dat” avvscan.old. This behavior removes McAfee virus definitions. Make sure that you update to the latest definitions (5959 DAT or newer) after you complete these steps to restore virus definitions. Run the following command: copy %systemroot%\system32\dllcache\svchost.exe %systemroot%\system32\ and press ENTER.”
The Redmond company has also documented the steps necessary for IT administrators that need to bring back to life multiple XP SP3 computers. However, IT admins will need Configuration Manager 2007 in order to put together a Task Sequence. Frank Rojas, Support Escalation engineer, has all the details.
UPDATE: Here is a KB article from McAfee with details on how to deal with this issue: False positive detection of w32/wecorl.a in 5958 DAT (for Corporate/Business users) - VirusScan Enterprise.