W32.Wecorl.a (or Variant) Infection across enterprise

[wperry1]

My company has just been hit with what seems to be a massive infection
of a new variant of the W32.wecorl.a virus. It has spread and infected
a large number of systems in our HQ office and for our remote users.

Users boot up and log in then they get a notice from McAfee that an
infection was detected and the system shuts down and reboots.

Systems are primarily WinXP with up-to-date patches and running McAfee
VirusScan Enterprise with updated Defs (at least to yesterday)

Is anyone else dealing with this? Any ideas on effective widespread
removal techniques?

 

[gardenrs]

Same problem

SOLVED:
https://kc.mcafee.com/corporate/index?page=content&id=KB68780

We removed the DAT file manually by booting the PC with a CD (Windows Recovery). Deleted files in c:\program files\common files\mcafee\engine with .DAT extension.
Download DAT from McAfee website: http://www.mcafee.com/apps/downloads/security_updates/dat.asp?region=uk&segment=enterprise
Install the downloaded DAT on the computer in normal Windows mode, and then reboot to apply the DAT.





We have the same problem, just a few minutes ago all our XP clients with McAfee shutdown with a message about DCOM service. Most of the network configs are broken and RPC service is stopped. We are trying to scan with the latest up-to-date anti-virus programs, but unable to delete this virus.

McAfee tells us it's wecorl.a, but that is an old virus. Can anyone help? All our XP computers are infected, in just a few minutes!

 

[sconder]

McAfee has confirmed that this is a false positive in today’s DAT, version 5958. At my orginization we are attempting to roll back the DATs to a previous version via ePO.

 

[fcrets]

Confirmed, thet DAT file is the culprit. Get the DAT out of your repository and roll back to 5957.

 

[Alex86]

Hi There,

We have the exact same probleme in the same type of envoronement XP + McAfee.
For the moment we are still trying to find a solution if you got anything let us know.

Regards,

Alex

 

[hrc]

Sam here, on hold w/McAfee. How do you roll back without using ePO?

 

[mbaggett]

Provide Link

If this is confirmed problem with the dat file - please post a link to McAfee's website.

 

[sconder]

If this is confirmed problem with the dat file - please post a link to McAfee's website.

Just confirmed via call w/McAfee. They will post info soon.

 

[gardenrs]

also on hold, but it takes a long time before i get a agent... even though we have gold support. It seems to be the DAT version, because we had no problems with the older DAT. When updating to the new DAT, everything crashed. We are rolling back atm with EPO.

 

[sconder]

Sam here, on hold w/McAfee. How do you roll back without using ePO?

If you experience problems with a recent DAT update in VirusScan, you can revert to the previous working update. To revert to the previous DAT version in VirusScan 8.x (also known as Rollback):

1. Open the VirusScan Console by going to Start->Programs->McAfee->VirusScan Console.
2. From the Tools menu, select Rollback DATs.
3. When prompted whether you wish to Rollback the DATs, choose Yes.

The resulting window will display the rollback process. When completed, the window will display that it has updated successfully. You can click the Close button to close this update window. You may also close the VirusScan Console window.

Note: VirusScan will not allow you to apply the DAT file that you rolled back from again. VirusScan will not update itself until a newer version from the rollback DAT is available.

 

[gardenrs]

If you experience problems with a recent DAT update in VirusScan, you can revert to the previous working update. To revert to the previous DAT version in VirusScan 8.x (also known as Rollback):

1. Open the VirusScan Console by going to Start->Programs->McAfee->VirusScan Console.
2. From the Tools menu, select Rollback DATs.
3. When prompted whether you wish to Rollback the DATs, choose Yes.

The resulting window will display the rollback process. When completed, the window will display that it has updated successfully. You can click the Close button to close this update window. You may also close the VirusScan Console window.

Note: VirusScan will not allow you to apply the DAT file that you rolled back from again. VirusScan will not update itself until a newer version from the rollback DAT is available.

Not working because the service is down and cannot be started... trying safe mode now

 

[t0fu]

How does one rollback DATs using ePO 4.5?

 

[zoso]

Hi guys,
same for us...
I'm on safe mode but I cannot see the Rollback DATs menu under tools... any idea?

 

[sconder]

McAfee confirms in this thread on their site...

http://community.mcafee.com/thread/24056?tstart=0

They should have an action plan soon.

 

[radi0head44]

My company is getting massive amounts of reboots due to Windows process (DCOM, RPC) errors. This doesn't sound like a false positive. Could the DAT be causing the reboots? Please advise!

 

[gardenrs]

This is what worked on some computers so far:

solution:
1. Start windows in normal mode
2. download old DAT: http://www.mcafee.com/apps/downloads/security_updates/dat.asp?region=uk&segment=enterprise
3. run it on the computer in prompt with /f ( c:\5957xdat.exe /f )
4. reboot

 

[sconder]

My company is getting massive amounts of reboots due to Windows process (DCOM, RPC) errors. This doesn't sound like a false positive. Could the DAT be causing the reboots? Please advise!

Yes. Since it detects SVCHost.exe as being infected, it attemptes to take action on the file thus prompting a reboot.

 

[Doppy]

Does anyone have a link to some hard evidence that the dat is bad? I am also receiving the same symptoms, but I need something before I start rolling back 5000 pcs?


Thanks!

 

[gardenrs]

1 computer was hard to downgrade in DAT file. We had to boot from CD, remove .DAT files in C:\program files\common files\mcafee\engine and then reboot. At reboot we installed the DAT from McAfee website with /f parameter, rebooted and it works now.

 

[mbaggett]

You can force the dat file to install even if the version is older than the existing one:

5957xdate.exe /f

The bad dat is no longer in the repository so that should fix the program.