Solutions McAfee: False positive detection of w32/wecorl.a in 5958 DAT (for Corporate/Business users) – VirusScan Enterprise

Corporate KnowledgeBase ID:		KB68780
Published:		April 22, 2010

Environment

Microsoft Windows XP with SP3

Summary

IMPORTANT:

• This article applies to Corporate or Business users only.
• If you are a Home or Consumer user, see article
  TS100969

McAfee is aware of a w32/wecorl.a false positive with the 5958
DAT file
that was released on April 21, 2010.

WARNING: If you
receive a detection
for w32/wecorl.a, Do not restart your computer until
you
have performed the remediation steps in this article.

Please watch for updates on this issue, which will be sent on a timely
basis
through Support Notification Service (SNS) and Platinum Proactive
notifications.

To subscribe to SNS, visit
http://my.mcafee.com/content/SNS_Subscription_Center.

This article will be updated as additional information becomes
available.

Problem

Blue screen or DCOM error, followed by shutdown messages after updating
to the
5958 DAT on April 21, 2010.

Solution 1

McAfee has developed a SuperDAT remediation Tool to restore the
svchost.exe file on affected systems.

What does the SuperDAT Remediation Tool Do?
The tool suppresses the driver causing the false positive by
applying an
Extra.dat file in c:program filescommonfilesmcafeeengine folder.
It then restores the svchost.exe by looking first in %SYSTEM_DIR%dllcachesvchost.exe.
If not present, it attempts a restore from the following:

• %WINDOWS%servicepackfilesi386svchost.exe
• Quarantine.

After the tool has been run, restart your computer.

Recommended recovery SuperDAT procedure

1. From a computer that has Internet access, locate and download
   the
   Recovery SuperDAT at
   http://download.nai.com/products/mcafee-avert/tools/SDAT5958_EM.exe
   and
   save it to portable media.
2. Take the portable media to each affected computer and run the
   tool.

   NOTE: If you are
   not able to run
   the tool on the affected computer, (re)start your computer in Safe
   Mode.
   For instructions on starting in Safe Mode, see
   http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx?mfr=true

3. Run the Recovery SuperDAT tool.
4. Restart in normal mode.
5. Use the product update to update to DAT 5959.

Solution 2

The issue is resolved in the 5959 DAT file release (April 21,
2010),
which is available from the McAfee Security Updates page at: http://www.mcafee.com/apps/downloads/security_updates/dat.asp?region=us&segment=enterprise

IMPORTANT: If you are
already
affected by this issue, you must still either replace or restore svchost.exe.
McAfee is continuing to work on an automated solution to fully
resolve the issue
for affected customers.

Recovery procedure using DAT 5959

1. Download the 5959 DAT file (5959xdat.exe) on a working
   computer
   and copy it to a removable media device such as a CD or USB stick.
2. Start the affected computer in Safe Mode with networking
   enabled.
3. Copy 5959xdat.exe to the computer, then double-click it
   to update
   the VSE DAT files.
4. Launch Windows Explorer and navigate to C:WINDOWSsystem32.
   1. If svchost.exe exists in this folder and is not a 0
      byte file, continue to Step 8.
   2. If svchost.exe has been deleted (or is a 0
      byte
      file), launch the VirusScan Console (Click Start, Programs,
      
      McAfee, VirusScan Console).

      If you are unable to launch the VirusScan Console, click Start,
      
      Run, type the following command (including the quotes) and click
      OK:

      “C:program filesmcafeevirusscan enterprisemcconsol.exe”
      /standalone

5. Double-click Quarantine Manager Policy, then click the Manager
   
   tab.
6. Right-click the detection and select Restore.
7. Restart your computer normally.

If you are unable to restore svchost.exe from Quarantine or if
svchost.exe is 0 bytes, do the following:

• If you have more than one computer.
  From the unaffected computer, copy the svchost.exe file in
  
  c:WindowsSystem32 to c:WindowsSystem32 on the affected
  
  computer. You can copy the file to a removable media device such as a
  CD or
  USB stick to do this.

  IMPORTANT: The
  two computers must
  have the same version of Windows.

• If you have a single computer, or if all your computers
  have been
  affected.
  On the affected computer, copy the svchost.exe file
  to c:WINDOWSsystem32
  using one of the following methods:
  • From Windows Explorer, go to the folder c:windowsServicePackFilesi386 (or
    if not present, C:WINDOWSsystem32dllcache), and make a copy
    of svchost.exe, then go to c:WINDOWSsystem32 and
    paste the file in the folder.
  • From the command prompt (If svchost.exe is located in c:windowsServicePackFilesi386),
    type the following command and press ENTER:

    “copy c:windowsServicePackFilesi386svchost.exe
    c:WINDOWSsystem32“

  • From the command prompt (If svchost.exe is located in c:WINDOWSsystem32dllcache), type
    the following command and press ENTER:

    “copy c:windowsServicePackFilesi386svchost.exe c:WINDOWSsystem32dllcache”

• If (the correct version of) svchost.exe cannot be located on any
  of your
  computers
  1. Start your computer from your Windows XP installation
     disk
     and select the Recovery console.
  2. Follow the onscreen instructions and log on as Windows XP
     admin.
     This will take you to the command prompt.

     Example: C:WINDOWS>

  3. From the prompt, type <drive_letter>: and press
     ENTER.
     Where <drive_letter> is the drive where your XP
     installation disk is
     located. Default drive is C:.
  4. Type cd I386 and press ENTER.
     The prompt should is now <drive_letter>:I386>
  5. Type expand svchost.ex_
     <drive_letter>:windowssystem32
     and press ENTER.
     <drive_letter> is the letter of the drive
     where Windows
     XP is installed. Default drive is C.
     You now have a new copy of svchost.exe in your system32 folder.
  6. Type exit and press ENTER.
     Your computer restarts.

Workaround 1

McAfee has developed an EXTRA.DAT to suppress this detection. The
file is
attached to this article. This EXTRA.DAT does not fix the issue, it only
suppresses the detection.

Apply the EXTRA.DAT to all potentially affected systems as soon as
possible.

For systems that have already encountered this issue, start the computer
in Safe
Mode and apply the EXTRA.DAT. After applying the EXTRA.DAT, restore the
affected
files from Quarantine.

To apply the EXTRA.DAT locally to an affected computer
IMPORTANT: For VirusScan
Enterprise 8.5i and later, temporarily disable Access Protection before
proceeding. For details, see:
KB52204.

To apply the EXTRA.DAT locally:

1. Download the EXTRA.ZIP file attached to this article and
   extract
   the EXTRA.DAT file.
2. Start the affected computer in Safe Mode with networking
   enabled.
3. Copy EXTRA.DAT to C:Program FilesCommon
   FilesMcAfeeEngine.
4. Launch Windows Explorer and navigate to C:WINDOWSsystem32:
   1. If svchost.exe exists in this folder and is not a 0
      byte file, continue to Step 9.
   2. If svchost.exe has been deleted (or is a 0
      byte
      file), launch the VirusScan Console (Click Start, Programs,
      
      McAfee, VirusScan Console).

      If you are unable to launch the VirusScan Console, click Start,
      
      Run, type the command below (including quotes) and click OK:

      “C:program filesmcafeevirusscan enterprisemcconsol.exe”
      /standalone
      

5. Double-click Quarantine Manager Policy, then click the Manager
   
   tab.
6. Right-click the detection and select Restore.
7. Restart the computer normally.

If you are unable to restore svchost.exe from Quarantine or if
svchost.exe is 0 bytes, do the following:

• If you have more than one computer.
  From the unaffected computer, copy the svchost.exe file in
  
  c:WindowsSystem32 to c:WindowsSystem32 on the affected
  
  computer. You can copy the file to a removable media device such as a
  CD or
  USB stick to do this.

  IMPORTANT: The
  two computers must
  have the same version of Windows.

• If you have a single computer, or if all your computers
  have been
  affected.
  On the affected computer, copy the svchost.exe file
  to c:WINDOWSsystem32
  using one of the following methods:
  • From Windows Explorer, go to the folder c:windowsServicePackFilesi386 (or
    if not present, C:WINDOWSsystem32dllcache), and make a copy
    of svchost.exe, then go to c:WINDOWSsystem32 and
    paste the file in the folder.
  • From the command prompt (If svchost.exe is located in c:windowsServicePackFilesi386),
    type the following command and press ENTER:

    “copy c:windowsServicePackFilesi386svchost.exe
    c:WINDOWSsystem32“

  • From the command prompt (If svchost.exe is located in c:WINDOWSsystem32dllcache), type
    the following command and press ENTER:

    “copy c:windowsServicePackFilesi386svchost.exe c:WINDOWSsystem32dllcache”

• If (the correct version of) svchost.exe cannot be located on any
  of your
  computers
  1. Start your computer from your Windows XP installation
     disk
     and select the Recovery console.
  2. Follow the onscreen instructions and log on as Windows XP
     admin.
     This will take you to the command prompt.

     Example: C:WINDOWS>

  3. From the prompt, type <drive_letter>: and press
     ENTER.
     Where <drive_letter> is the drive where your XP
     installation disk is
     located. Default drive is C:.
  4. Type cd I386 and press ENTER.
     The prompt should is now <drive_letter>:I386>
  5. Type expand svchost.ex_
     <drive_letter>:windowssystem32
     and press ENTER.
     <drive_letter> is the letter of the drive
     where Windows
     XP is installed. Default drive is C.
     You now have a new copy of svchost.exe in your system32 folder.
  6. Type exit and press ENTER.
     Your computer restarts.

Workaround 2

ePO Users
For instructions on how to deploy the EXTRA.DAT through ePolicy
Orchestrator
(ePO), see:

• ePO 4.0 –
  KB52977
• ePO 4.5 –
  KB67602

Related Information

IMPORTANT: If you are
a consumer
user, to resolve this issue see KnowledgeBase article:
TS100969 – ALERT: 5958 DAT Update Issue (For Home Users
Only).

• For additional information about EXTRA.DAT files, see
  KB68759.

Threat Center (McAfee Avert Labs)  http://www.mcafee.com/us/threat_center/

Search the Threat Library http://vil.nai.com/

Submit a virus sample https://www.webimmune.net/default.asp

Security updates and DAT files http://www.mcafee.com/apps/downloads/security_updates/dat.asp?region=us&segment=enterprise

Attachment

EXTRA.zip

6K • < 1 minute @ 56k, < 1 minute @ broadband

Source: http://vil.nai.com/vil/5958_false.htm