False positive detection of w32/wecorl.a in 5958 DAT
Corporate KnowledgeBase ID: KB68780
Published: April 22, 2010
Environment
For details of all supported operating systems, see KB51109
Summary
McAfee is aware of a w32/wecorl.a false positive with the 5958 DAT file that was released on April 21, 2010.
WARNING: If you receive a detection for w32/wecorl.a, DO NOT restart your computer until you have performed the remediation steps in this article.
Please watch for updates on this issue, which will be sent on a timely basis through Support Notification Service (SNS) and Platinum Proactive notifications.
To subscribe to SNS, visit http://my.mcafee.com/content/SNS_Subscription_Center.
This article will be updated as additional information becomes available.
Problem
DCOM error, followed by shutdown messages after updating to the 5958 DAT on April 21, 2010.
Solution 1
McAfee has developed a SuperDAT remediation Tool to restore the svchost.exe file on affected systems.
Q: What does the SuperDAT Remediation Tool Do?
A: The tool suppresses the driver causing the false positive by applying an Extra.dat file in the C:\Program Files\Common Files\McAfee\engine folder. It then restores svchost.exe by looking first in %SYSTEM_DIR%\dllcache\svchost.exe. If not present it will attempt to restore the file from %WINDOWS%\servicepackfiles\i386\svchost.exe. If svchost.exe is not present, it will attempt to restore it from quarantine. After the tool runs, the system must be rebooted.
Recommended Recovery SuperDAT Procedure
Solution 2
The issue is resolved in the 5959 DAT file release (April 21, 2010), which is available from the McAfee Security Updates page at:
http://www.mcafee.com/apps/downloads/security_updates/dat.asp?region=us&segment=enterprise
IMPORTANT: If you are already affected by this issue, you must still either replace or restore svchost.exe. McAfee is continuing to work on an automated solution to fully resolve the issue for affected customers.
Recovery procedure using DAT 5959
If you are unable to launch the VirusScan Console, click Start, Run, type the command below (including quotes) and click OK:
"C:\program files\mcafee\virusscan enterprise\mcconsol.exe" /standalone
If you are unable to use the copy and paste functions in Windows, click Start, Run, type CMD, then click OK. At the command prompt, type the command below and press ENTER:
copy from C:\windows\ServicePackFiles\i386\svchost.exe to c:\WINDOWS\system32
NOTE: Change the from path to match the location where svchost.exe exists on your system.
IMPORTANT: The two computers must have the same version of Windows.
Workaround
McAfee has developed an EXTRA.DAT to suppress this detection. The file is attached to this article. This EXTRA.DAT does not fix the issue, it only suppresses the detection.
Apply the EXTRA.DAT to all potentially affected systems as soon as possible.
For systems that have already encountered this issue, start the computer in Safe Mode and apply the EXTRA.DAT. After applying the EXTRA.DAT, restore the affected files from Quarantine.
To apply the EXTRA.DAT locally to an affected computer:
IMPORTANT: For VirusScan Enterprise 8.5i and later, an Access Protection feature must be temporarily disabled before proceeding. For instructions on how to temporarily disable Access Protection in the VirusScan Console, see KB52204.
To apply the EXTRA.DAT locally:
"C:\program files\mcafee\virusscan enterprise\mcconsol.exe" /standalone
If you are unable to restore svchost.exe from Quarantine or if svchost.exe is 0 bytes:
If you are unable to use the copy and paste functions in Windows, click Start, Run, type CMD, then click OK. At the command prompt, type the command below and press ENTER:
copy from C:\windows\ServicePackFiles\i386\svchost.exe to c:\WINDOWS\system32
NOTE: Change the from path to match the location where svchost.exe exists on your system.
IMPORTANT: The two computers must have the same version of Windows.
For instructions on how to deploy the EXTRA.DAT through ePolicy Orchestrator (ePO), see:
Related Information
Threat Center (McAfee Avert Labs) http://www.mcafee.com/us/threat_center/
Search the Threat Library http://vil.nai.com/
Submit a virus sample https://www.webimmune.net/default.asp
Security updates and DAT files
http://www.mcafee.com/apps/downloads/security_updates/dat.asp?region=us&segment=enterprise
For additional information about EXTRA.DAT files, see KB68759.