cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 91 of 194

Re: W32/Wecorl.a 0-day?

April,

Before you remove the attachment and link to https://kc.mcafee.com/corporate/index?page=content&id=KB68780 again please make sure that page is accessible.  It's not currently.  I've been trying to load it for 5 minutes.  The support tech that I opened the incident with asked me to post that file in the forums which is why I did so.

Highlighted
Level 7
Report Inappropriate Content
Message 92 of 194

Re: W32/Wecorl.a 0-day?

I guess if you wait long enough it does eventually come up.  5+ minutes to load however.

Highlighted

Re: W32/Wecorl.a 0-day?

Looks like a lot of networks were affected by the 5958 DAT causing all kinds of havoc.

There is no immediate fix from McAfee yet, but what you need to do is roll back to the previous DAT.

IM using EPO 4.5 console, and this is what I ve done:

Login to your epo console, and disable your updating.

Menu > Policy > Policy Catalog

From the Drop down, select McAfee Agent as your product. It will refresh and show you your Assignments.

Look for one called My Default., Edit Settings.

Click on Repositories.

In the Repositories List, disable any and all repositories from being updated, Save.

Next go to Updates.

check on DAT file downgrades: check off: Enable DAT file downgrades when the version in the repository is older than local version.

Save this.

You will need to do this for the policies other than My Default (if you have any).

Now to roll back a DAT...

You need to go to your Master Repository, and select the change branch on the DAT file previous to the 5958 (hence 5957, 6) and move it to current branch.

Perform a DAT upgrade.

I also found this KB to be useful; https://kc.mcafee.com/corporate/index?page=content&id=KB59840

Ive been on support waiting for an agent since 1:16 minutes, they are getting slammed with this stuff. LOL.

Good luck to all the admins othere battling this.

Highlighted
Level 7
Report Inappropriate Content
Message 94 of 194

Re: W32/Wecorl.a 0-day?

Fix info posted here with Extra.dat file from McAfee.

http://community.mcafee.com/message/125621#125621

Highlighted
Level 7
Report Inappropriate Content
Message 95 of 194

Re: W32/Wecorl.a 0-day?

McAfee has released the 5959 DAT but we have found that the svchost.exe file has become corrupted and needs to be manually replaced which we have done by slaving the affected hard drive to a clean machine and copying an uncorrupted svchost file to the Windows\System32 folder.  Does anybody know a way to copy the file on the fly while still logged on to Windows?

I think McAfee should include this fix in their update since they broke the svchost file in the first place.  It probably wouldn't be hard to do but would no doubt require a reboot.  Are you listening McAfee?!

Highlighted
Level 7
Report Inappropriate Content
Message 96 of 194

Re: W32/Wecorl.a 0-day?

use windows PE if you can.

Highlighted
Level 7
Report Inappropriate Content
Message 97 of 194

Re: W32/Wecorl.a 0-day?

I love how in the AP news release McAfee isn't aware of any significant impact on consumers?   Their phone lines were jammed all morning, the forums went down for hours due to the traffic load, but hey they aren't aware of any impact..

Highlighted
Level 7
Report Inappropriate Content
Message 98 of 194

Re: W32/Wecorl.a 0-day?

We wrote a batchscript which we deployed with novell, here it is (test still in progress, but should work).

It checks the version of the .dat file - if 5958 (hex 0x1746) then the fix will be supplied.

It also checks if it is a Win2k OS.

We kill the "svchost.exe" process twice, because the svchost.exe sometimes starts very fast so the copy action fails.

Hope it will help!

############################

@echo off

shutdown -a


for /f "tokens=3 delims=    " %%i in ('reg query HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\AVEngine\ /v AVDatVersion')


do set control=%%i


if NOT %control% == 0x1746 goto done


if exist C:\WINNT\explorer.exe goto done


\\SERVERNAME\APPS\APPS\INSTALL\MCAFEE\pskill svchost.exe


shutdown -a


\\SERVERNAME\APPS\APPS\INSTALL\MCAFEE\pskill svchost.exe


\\SERVERNAME\APPS\APPS\INSTALL\MCAFEE\pskill svchost.exe

xcopy \\SERVERNAME\APPS\APPS\INSTALL\MCAFEE\svchost.exe c:\windows\system32  /Y /R /H /G /C /K

xcopy \\SERVERNAME\APPS\APPS\INSTALL\MCAFEE\svchost.exe C:\WINDOWS\system32\dllcache  /Y /R /H /G /C /K

shutdown -a


\\SERVERNAME\APPS\APPS\INSTALL\MCAFEE\sdat5959.exe /logfile c:\virus.log /F /silent


shutdown -r


:done


exit

############################

btw: In germany it is nearly midnight... We made all 8 long hours 😕 Thanks McAfee!

Nachricht geändert durch koffy on 21.04.10 16:17:39 CDT

Nachricht geändert durch koffy on 21.04.10 16:19:38 CDT
Highlighted

Re: W32/Wecorl.a 0-day?

Carl - to copy svchost file do it thru a cmd prompt

Highlighted
Level 10
Report Inappropriate Content
Message 100 of 194

Re: W32/Wecorl.a 0-day?

Here is another way.  Create a batch file called Update.bat

copy "c:\program files\common files\mcafee\engine\oldengine\avv*" "c:\program files\common files\mcafee\engine\"

ECHO REBOOT PC NOW

1.         Boot computer into safemode

2.         Login as local administrator

3.         Run update.bat file.

4.         Once complete then reboot computer and it should login to the network fine.

If you are still having issues with SVCHOST copy from a clean XP workstation SP 3 and add it to a thumb drive an add another line to copy.

Add the following line to the bat file

copy svchost.exe c:\windows\system32.

Hope this helps.

Thanks Mike

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community