McAfee’s False Positive of w32/wecorl.a Caused Removal of svchost.exe

Yesterday morning there were reports of computers going into a continuous rebooting cycle due a a glitch with McAfee’s antivirus software update. Apparently this only affected McAfee’s enterprise customers, and only on computers running Windows XP SP3. Even though the absolute number of computers affected does not appear to be large (McAfee’s own press release puts that number at 0.005% of all machines running McAfee), the story nevertheless made it to the front page of Digg, and Twitter was abuzz with anti-McAfee tweets. What’s worse, malware vendors have used this opportunity to spam search engine results, leading unsuspecting users to download viruses and trojans.

What had happened was that McAfee had released a new virus definition file (5958), in which it reported a false positive by detecting that the svchost.exe file has been infected with the W32/wecorl.a virus. As a result, the McAfee program deletes svchost.exe file, which renders Windows systems unbootable. For those affected, a manual fix was needed to restore the svchost.exe file. Large companies such as Intel were hit. Some hospitals were also reportedly hit, causing delays in scheduled surgeries and the stoppage of treatment of non-trauma emergency room patients.

One thing that was surprising was the number of computer still running Windows XP, as Microsoft has released two generations of Windows operating system since. This event tells us that many large companies are not trusting Microsoft’s newer versions of Windows software. This is something Microsoft definitely needs to pay attention to.