cancel
Showing results for 
Search instead for 
Did you mean: 
CrazyFingers
Level 7

W32/Wecorl.a 0-day?

Our network has an ePO server pushing current DATs, SPs, for VirusScan Enterprise 8.7i SP3.  Windows WSUS server pushing current Windows updates.  Large numbers of machine suddenly began rebooting with DCOM server process launcher errors.  McAfee detects svchost.exe as infected with Wecorl.a

This virus/trojan is fairly old and should have been caught, unless some new exploit is able to drop it without McAfee Virus reacting to it.  Anyone else seeing this?

0 Kudos
193 Replies
Tefty
Level 7

Re: W32/Wecorl.a 0-day?

Ditto, calling McAfee now as i have over 1000 instances of this.

DAT was released 40 minutes ago and no release notes for it are posted yet.

UPDATE 1 :- SvcHost is the affected file apparently and VSE has deleted something in relation to this, all my devices are now constantly in a reboot loop and no network comm's can be made to these in anyway, shape or form.

Message was edited by: Andy Smith on 21/04/10 10:10:01 CDT
0 Kudos
rastan01
Level 8

Re: W32/Wecorl.a 0-day?

Same here.  I think it's a dat file issue.  We're on the phone right now.

0 Kudos
bharrisii
Level 7

Re: W32/Wecorl.a 0-day?

Same here - v 5958 is busted.

0 Kudos
rastan01
Level 8

Re: W32/Wecorl.a 0-day?

If you type shutdown -a in the cmd line, it will keep the PC from rebooting.  We stopped pushing the update and no one else has got it since.  This started just after we pushed the latest update.  Non of the PC's have any of the indications of infection associated with Wecorl.a.  It's taking forever to get Mcafee on the line so I assume they are getting bombarded with calls.

Message was edited by: rastan01 on 4/21/10 10:35:43 AM CDT
0 Kudos
CrazyFingers
Level 7

Re: W32/Wecorl.a 0-day?

I'm glad we're not alone (I think).

On an infected machine, if I can log in before the shutdown timer starts, I can stop the shutdown once it pops up by issuing shutdown -a at a command prompt.  Then a McAfee window pops up warning that C:\Windows\system32\svchost.exe is infected with W32/Wecorl.a, and telling me that it could take no action since the clean failed.

But then when I go and run a manual scan on svchost.exe, nothing is found.

0 Kudos
patty.d00
Level 9

Re: W32/Wecorl.a 0-day?

Same here..  Also on hold w/ support.  Anybody have any insite??

0 Kudos
patty.d00
Level 9

Re: W32/Wecorl.a 0-day?

This is caused from a bad dat file.  Dat file 5958 is BAD.

0 Kudos
Unblack
Level 10

Re: W32/Wecorl.a 0-day?

Same here!

doing a servicecall

0 Kudos
pderonde
Level 7

Re: W32/Wecorl.a 0-day?

Same here.

Appears to delete svchost.exe which just made my test pc completly useless.

Other department doesnt even have a test pc and they pushed it live... well done there.

DAT 5958 W32/wecorl.a

0 Kudos