McAfee fail: deleting svchost.exe because of false positive 'w32/wecorl.a'

Like many others around the world, the Windows XP systems I support started failing yesterday afternoon, with VirusScan claiming to have detected the w32/wacorl.a virus in svchost.exe. Of course, as has been widely reported by now, there was no virus present, this was a false positive in the 5958 DAT file — but VirusScan’s automatic cleanup attempts caused problems of their own.

Interestingly, the failure mode varied between machines. In some cases it was fortunately unable to modify svchost.exe, just kill off the running processes, so as soon as the fixed DAT, 5959, was applied the machine was back to normal. In the long term, since I have already captured malware in the wild which conceals its presence by installing a Winlogon Notification Package (a DLL which is loaded by winlogon.exe) then injects the malicious payload into services.exe at startup, this shortcoming is a concern as well, but it happens to prove helpful in this case.

On other machines, VirusScan /had/ succeeded in deleting svchost.exe, or truncating it to 0 bytes, meaning that file needed to be replaced as well. Fortunately one machine had a spare copy, in compressed form as svchost.ex_.

One added complication was that the “access protection” component has an option called “Prevent Windows Process spoofing”, intended to prevent malware masquerading as legitimate Windows processes such as svchost.exe. If enabled, this prevents copying the real svchost.exe to another device to transfer to affected machines! As a simple workaround, I used svchost.exx as the backup copy’s name instead.

One of the reasons my university uses VirusScan is that the license covers all our staff and students for home use — normally a good thing, since it reduces the risk of viruses coming in from unprotected personal machines, but of course in this case it means the problem affects home systems as well.

To repair affected machines automatically, I put the 5959 superdat file, a spare copy of svchost.exe (renamed to svchost.exx) and the trivial batch file below on a memory stick. As long as the user is able to run it in time (with appropriate privileges, which will be the case on personal machines) it will abort the pending shutdown, replace svchost.exe and patch VirusScan with the corrected DAT.

shutdown -a
copy /y %~dp0\svchost.exx %systemroot%\system32\svchost.exe
start %~dp0\sdat5959.exe

Although ‘Prevent Windows Process spoofing’ blocked copying svchost.exe to a memory stick with that name, it did not prevent copying the same file into the official location, %systemroot%\system32. As the name implies, this rule is concerned only with preventing ‘imposter’ files sharing a name with legitimate Windows executables, rather than protecting the legitimate files themselves. Not a very useful rule in general, and often an obstacle to repairing problems, creating Windows installation images or copying service packs.

Subscribe via FeedBurner Add to Technorati Favorites

blog comments powered by Disqus