Big News: Norton AntiVirus cripples thousands of PCs in China

[Puss in Boots]

Norton AntiVirus cripples thousands of PCs in China
By Lu EnJie - Fri, 05/18/2007 - 09:45.


A routine upgrade of anti-virus software has disabled tens of
thousands of PCs in China, according to local media reports. The
faulty upgrade caused Symantec's Norton AntiVirus software to remove
critical Windows XP system files, the reports state.

The system files moved or deleted by the software include netapi32.dll
and lsasrv.dll, according to Sohu News (in Chinese). The software
incorrectly identifies the files as being infected with the
Backdoor.Haxdoor trojan. With these files removed, Windows XP will no
longer start up, and even the system safe mode no longer functions.
Only Chinese-language versions of Windows appear to be affected so
far.

The Norton AntiVirus application is part of Norton's 360 suite and it
is pre-installed in many PCs sold in China, indicating that the
problem could potentially affect millions of users.
Patched PCs vulnerable

The problem appears to stem from an update Microsoft released in
November 2006, which contained new versions of some system files, as
PCs which have not applied this update are unaffected.

Symantec has acknowledged the issue and is working on a solution,
reports said - although there is no apparent mention of it on the
company's Chinese website.

PC owners affected by the issue may be able to restore the missing
files from their Windows XP installation CDs. However, since piracy of
Windows XP is common in China, some users may not have access to these.

 

[Virus Guy]

A routine upgrade of anti-virus software has disabled tens of
thousands of PCs in China,

Really?

Tens of thousands of PC's in China are actually running some form of
AV software ?!

The problem appears to stem from an update Microsoft released in
November 2006

Wow - and those PC's in China are actually configured for automatic XP
updates?

PCs which have not applied this update are unaffected.

Presumably there are millions of those...

 

[Puss in Boots]

Really?

Tens of thousands of PC's in China are actually running some form of
AV software ?!


Wow - and those PC's in China are actually configured for automatic XP
updates?

You underestimated China's pirate editions of Windows. These pirate
versions are even *better* than the original Windows installation CDs
because they (1) pre-tweak many system settings (Registry values) for
a better performance, (2) pre-install all the Hotfixes Microsoft has
ever released to the creation day of the pirate edition, (3) activate
the Windows Updates feature permanently, and (4) pre-install several
desktop enhancements including several popular third-party visual
styles such as Luna Element, Mac Aqua.

 

[Virus Guy]

You underestimated China's pirate editions of Windows. These
pirate versions are even *better* than the original Windows
installation CDs because ...

And that would explain why so much zombie spam and zombie DNS hosting
is coming from Chinese IP space?

 

[Oliver Betz]

A routine upgrade of anti-virus software has disabled tens of
thousands of PCs in China, according to local media reports. The
faulty upgrade caused Symantec's Norton AntiVirus software to remove
critical Windows XP system files, the reports state.

and it also deletes Pegasus Mail, see pmail.com

Incredible false positives and incredible that so many people let NAV
delete files...

BTW: F-Prot 6 can't be configured to have "only warn" as action for a
manual scan from the context menu - it forces quarantine. Stupid
IMNSHO.

Oliver