McAfee pushed out a virus definition update, 5958, today that causes false positive identification of the critical Windows system file svchost.exe. Machines running Windows XP Service Pack 3 using the 5958 definitions will delete the file, causing many key Windows services to fail to start. The Windows file is being mistakenly detected as W32/wecorl.a. Failure to start svchost.exe causes Windows to automatically reboot making repair a difficult process.
Mcafee’s support seems to have gone into meltdown as a result of this issue so don’t expect much help there. The following procedure may do the trick:
- Boot the system into safe mode
- Drop the attached extra.dat in c:/program files/common files/mcafee/engine
- Reboot into normal mode
The broken update should no longer be available so non-affected users should be safe now. The new update is 5959 which is the same as the previous update but without the problematic definition.
Reports of tens of thousands of affected machines ( including Intel ) will leave a lot of egg on Mcafee’s face for the immediate future. What’s interesting is that rudimentary QA would uncover something like this, so how did this get out?