Our network has an ePO server pushing current DATs, SPs, for VirusScan Enterprise 8.7i SP3. Windows WSUS server pushing current Windows updates. Large numbers of machine suddenly began rebooting with DCOM server process launcher errors. McAfee detects svchost.exe as infected with Wecorl.a
This virus/trojan is fairly old and should have been caught, unless some new exploit is able to drop it without McAfee Virus reacting to it. Anyone else seeing this?
Ditto, calling McAfee now as i have over 1000 instances of this.
DAT was released 40 minutes ago and no release notes for it are posted yet.
UPDATE 1 :- SvcHost is the affected file apparently and VSE has deleted something in relation to this, all my devices are now constantly in a reboot loop and no network comm's can be made to these in anyway, shape or form.
Message was edited by: Andy Smith on 21/04/10 10:10:01 CDT
If you type shutdown -a in the cmd line, it will keep the PC from rebooting. We stopped pushing the update and no one else has got it since. This started just after we pushed the latest update. Non of the PC's have any of the indications of infection associated with Wecorl.a. It's taking forever to get Mcafee on the line so I assume they are getting bombarded with calls.
Message was edited by: rastan01 on 4/21/10 10:35:43 AM CDT
I'm glad we're not alone (I think).
On an infected machine, if I can log in before the shutdown timer starts, I can stop the shutdown once it pops up by issuing shutdown -a at a command prompt. Then a McAfee window pops up warning that C:\Windows\system32\svchost.exe is infected with W32/Wecorl.a, and telling me that it could take no action since the clean failed.
But then when I go and run a manual scan on svchost.exe, nothing is found.
Appears to delete svchost.exe which just made my test pc completly useless.
Other department doesnt even have a test pc and they pushed it live... well done there.
DAT 5958 W32/wecorl.a