W32.Wecorl.a (or Variant) Infection across enterprise

[gardenrs]

So, if McAfee doesnt come with a solutions, try this workaround:

Start from CD and remove .DAT files in C:\program files\common files\mcafee\engine
Reboot machine to normal XP
Download older DAT file at McAfee site (http://www.mcafee.com/apps/downloads/security_updates/dat.asp?region=us&segment=enterprise)
Install it by using CMD (start, run, cmd)
c:\5957xdat.exe /f
Reboot!

 

[sconder]

Rolling back DATs manually not working for us. Others seem to confirm as well. Networking also affected on machines. (see Update 1 section of link below)

http://isc.sans.org/diary.html?storyid=8656

 

[gardenrs]

I also restored files from quarantaine, so maybe this helped with the solution

 

[sconder]

Official McAfee acknowledgement & Extra.dat info:

https://kc.mcafee.com/corporate/index?page=content&id=KB68780

 

[gardenrs]

Rolling back DATs manually not working for us. Others seem to confirm as well. Networking also affected on machines. (see Update 1 section of link below)

http://isc.sans.org/diary.html?storyid=8656

Rolling back DAT can be done by deleting the files in C:\program files\common files\mcafee\engine, however they are in use. Try to boot the system from a CD, delete the DAT files and then install the downloadable DAT file.

 

[sconder]

Hmmm... not good. Looks like McAfee has already pulled the EXTRA.DAT and the KB article I linked to. They also deleted a link to the EXTRA.DAT out of a post on their own forums...

 

[jghake]

Our company here is having the same issues as everyone else. We have a file "extra.dat" that was given to us by our sales vendors and we uploaded that into our EPOC. Our machines that have the 5957 dat are not affected as well as machines that are running SP2. The 5958 dat seems to be the only dat giving us problems. We have been on hold with McAfee for 2 hours so far and are being transfered to tier 2-3 support.


We were able to get the extra.dat deployed to a few of our machines but unfortunatly those machines now are seeing some odd problems. At first I thought it may have been a coincidence but it seems to be happening on at leasat 2 computers.

The start bar is minimized as if shrunk down to only a few pixels. If you try to resize it it wont let you because the toolbars are locked. If you right click to unlock the unlock feature is disabled. Also in the event viewer we were looking to see McAfee's update logs. In the application log there are events 5000's for McLogEvent. On these two machines we cannot open the events to view the details, we can only see the list of events as if the Event Viewer is broken.

Is anyone else seeing these odd behaviours as well?

I have attached our "Extra.dat" as extra.txt. If anyone is interested rename it to "Extra.dat".

 

[sconder]

We are having issues with the affected machines not passing network traffic. Additionally, IE will not start and they seem unable to use USB drives.

 

[bluetrevian]

This is a false positive.

Check the McAfee Community site here: http://community.mcafee.com/message/125576

Check the McAfee OFFICIAL response here: http://community.mcafee.com/message/125576

 

[jghake]

We are having issues with the affected machines not passing network traffic. Additionally, IE will not start and they seem unable to use USB drives.

We are seeing the network problems as well.

 

[bluetrevian]

This is a false positive.

Check the McAfee Community site here: http://community.mcafee.com/message/125576

Check the McAfee OFFICIAL response here:
http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=265240

 

[jghake]

I was reading that community McAfee site before it wen't down and was reading that the super.dat /f install was not working.


Does anyone else have any more information about this.

 

[sconder]

We confirmed that the networking issue is caused by McAfee deleting the SVCHOST.EXE file from the SYSTEM32 directory. Restoring the file has brought back the menu bar and networking and IE appears to be functional again.

 

[jghake]

We confirmed that the networking issue is caused by McAfee deleting the SVCHOST.EXE file from the SYSTEM32 directory. Restoring the file has brought back the menu bar and networking and IE appears to be functional again.

I was able to replace the SVCHOST.EXE file within Windows from a thumbdrive. Copying off the drive did not work so I had to use xcopy at the command line to copy it to the system32. I then ran sdat5957.exe -f and it rebooted. The machine seems to be fully functional again.

Our problem now is that we cannot do this remotely and we have a very large number of remote computers. Since this breaks the networking on these computers we are trying to find a way to avoid using a thumbdrive to get files to people. Copying 60 megs to/from remote laptops is not an option. I have the sdat5957.exe file and if anyone has an ftp they would like me to upload it to let me know.

 

[sconder]

I was able to replace the SVCHOST.EXE file within Windows from a thumbdrive. Copying off the drive did not work so I had to use xcopy at the command line to copy it to the system32. I then ran sdat5957.exe -f and it rebooted. The machine seems to be fully functional again.

Our problem now is that we cannot do this remotely and we have a very large number of remote computers. Since this breaks the networking on these computers we are trying to find a way to avoid using a thumbdrive to get files to people. Copying 60 megs to/from remote laptops is not an option. I have the sdat5957.exe file and if anyone has an ftp they would like me to upload it to let me know.

Yup, I have 2,669 potentially affected computers (WXP + SP3 + DAT 5958) in 59 buildings. I am going to send a bill for a new pair of sneakers to McAfee.

 

[sconder]

FYI, McAfee has released DAT 5959...

 

[Blues]

FYI, McAfee has released DAT 5959...

I've been trying really hard to find a link which works but no avail, do you know about any other website whose server isn't down?

Thanks, and one more question which would be better, to rollback to the 5957 version or to download the newer 5959 one?

 

[David H. Lipman]

From: "wperry1" <[email protected]>

| My company has just been hit with what seems to be a massive infection
| of a new variant of the W32.wecorl.a virus. It has spread and infected
| a large number of systems in our HQ office and for our remote users.

| Users boot up and log in then they get a notice from McAfee that an
| infection was detected and the system shuts down and reboots.

| Systems are primarily WinXP with up-to-date patches and running McAfee
| VirusScan Enterprise with updated Defs (at least to yesterday)

| Is anyone else dealing with this? Any ideas on effective widespread
| removal techniques?

McAfee f**ked this one up !

The 5959 dat files have been released early due to a DAT Issue Emergency with the 5958 DAT
Files.

The reason for this DAT Issue Emergency is a 'W32/Wecorl.a' False Positive in 5958 DAT.

The various 5959 dat file packages can be found at

http://www.mcafee.com/apps/downloads/security_updates/dat.asp

http://www.us-cert.gov/current/index.html#mcafee_dat_5958_issues

 

[sconder]

I've been trying really hard to find a link which works but no avail, do you know about any other website whose server isn't down?

Thanks, and one more question which would be better, to rollback to the 5957 version or to download the newer 5959 one?

At this point we are going the 5957 route. We KNOW they were not an issue.

 

[FromTheRafters]

From: "wperry1" <[email protected]>

| My company has just been hit with what seems to be a massive
infection
| of a new variant of the W32.wecorl.a virus. It has spread and
infected
| a large number of systems in our HQ office and for our remote users.

| Users boot up and log in then they get a notice from McAfee that an
| infection was detected and the system shuts down and reboots.

| Systems are primarily WinXP with up-to-date patches and running
McAfee
| VirusScan Enterprise with updated Defs (at least to yesterday)

| Is anyone else dealing with this? Any ideas on effective widespread
| removal techniques?

McAfee f**ked this one up !

The 5959 dat files have been released early due to a DAT Issue
Emergency with the 5958 DAT
Files.

The reason for this DAT Issue Emergency is a 'W32/Wecorl.a' False
Positive in 5958 DAT.

The various 5959 dat file packages can be found at

http://www.mcafee.com/apps/downloads/security_updates/dat.asp

http://www.us-cert.gov/current/index.html#mcafee_dat_5958_issues

Yet another DoS made possible by security software. )