CERT-In Advisory CIAD-2010-29
McAfee VirusScan DAT Update leads Microsoft Windows System Failure
Original issue date:
April 23, 2010
Severity Rating: High
Systems Affected
- Microsoft Windows XP SP3
- VirusScan Enterprise 8.5i and later
Overview
It has been reported that McAfee's malware definition update file 5958 DAT distributed to VirusScan has detected the windows genuine file svchost.exe as being infected with new variants in the Wecorl family of malware, (W32/Wecorl.a) and application has caused Blue screen or DCOM error, followed by shutdown messages like the following;
The affected system will enter a loop and loose all network access.
Workarounds
- Boot into safe mode and replace the erroneous DAT file with EXTRA.DAT file and reboot To deploy through ePO(extra policy orchestrator) refer the articles
- Remove the affected DAT file and restore to a previous version in safe mode.
Solutions
- Restore svchost.exe with the Super DAT remediation Tool
- Update to 5959 DAT or later (Unaffected users).
Refer the following McAfee knowledge base article for detailed steps
- Corporate users and administrators KB68780
- Home users TS100969
Vendor Information McAfee
https://kc.mcafee.com/corporate/index?page=content&id=KB68780
References
McAfee
http://service.mcafee.com/FAQDocument.aspx?lc=1033&id=TS100970
http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=265240
http://service.mcafee.com/faqdocument.aspx?id=TS100969
http://community.mcafee.com/thread/24056?tstart=0
ISC SANS
http://isc.sans.org/diary.html?storyid=8656
CISCO
http://tools.cisco.com/security/center/viewAlert.x?alertId=20375
US-CERT
http://www.us-cert.gov/current/index.html#mcafee_dat_5958_issues
Disclaimer The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
