cancel
Showing results for 
Search instead for 
Did you mean: 

W32/Wecorl.a 0-day?

Our network has an ePO server pushing current DATs, SPs, for VirusScan Enterprise 8.7i SP3.  Windows WSUS server pushing current Windows updates.  Large numbers of machine suddenly began rebooting with DCOM server process launcher errors.  McAfee detects svchost.exe as infected with Wecorl.a

This virus/trojan is fairly old and should have been caught, unless some new exploit is able to drop it without McAfee Virus reacting to it.  Anyone else seeing this?

193 Replies
Tefty
Level 7
Report Inappropriate Content
Message 2 of 194

Re: W32/Wecorl.a 0-day?

Ditto, calling McAfee now as i have over 1000 instances of this.

DAT was released 40 minutes ago and no release notes for it are posted yet.

UPDATE 1 :- SvcHost is the affected file apparently and VSE has deleted something in relation to this, all my devices are now constantly in a reboot loop and no network comm's can be made to these in anyway, shape or form.

Message was edited by: Andy Smith on 21/04/10 10:10:01 CDT
rastan01
Level 8
Report Inappropriate Content
Message 3 of 194

Re: W32/Wecorl.a 0-day?

Same here.  I think it's a dat file issue.  We're on the phone right now.

bharrisii
Level 7
Report Inappropriate Content
Message 4 of 194

Re: W32/Wecorl.a 0-day?

Same here - v 5958 is busted.

rastan01
Level 8
Report Inappropriate Content
Message 5 of 194

Re: W32/Wecorl.a 0-day?

If you type shutdown -a in the cmd line, it will keep the PC from rebooting.  We stopped pushing the update and no one else has got it since.  This started just after we pushed the latest update.  Non of the PC's have any of the indications of infection associated with Wecorl.a.  It's taking forever to get Mcafee on the line so I assume they are getting bombarded with calls.

Message was edited by: rastan01 on 4/21/10 10:35:43 AM CDT

Re: W32/Wecorl.a 0-day?

I'm glad we're not alone (I think).

On an infected machine, if I can log in before the shutdown timer starts, I can stop the shutdown once it pops up by issuing shutdown -a at a command prompt.  Then a McAfee window pops up warning that C:\Windows\system32\svchost.exe is infected with W32/Wecorl.a, and telling me that it could take no action since the clean failed.

But then when I go and run a manual scan on svchost.exe, nothing is found.

patty.d00
Level 9
Report Inappropriate Content
Message 7 of 194

Re: W32/Wecorl.a 0-day?

Same here..  Also on hold w/ support.  Anybody have any insite??

patty.d00
Level 9
Report Inappropriate Content
Message 8 of 194

Re: W32/Wecorl.a 0-day?

This is caused from a bad dat file.  Dat file 5958 is BAD.

Unblack
Level 10
Report Inappropriate Content
Message 9 of 194

Re: W32/Wecorl.a 0-day?

Same here!

doing a servicecall

pderonde
Level 7
Report Inappropriate Content
Message 10 of 194

Re: W32/Wecorl.a 0-day?

Same here.

Appears to delete svchost.exe which just made my test pc completly useless.

Other department doesnt even have a test pc and they pushed it live... well done there.

DAT 5958 W32/wecorl.a