Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
173027 Views 193 Replies Latest reply: Apr 27, 2010 10:40 AM by markp RSS 1 2 3 ... 20 Previous Next
CrazyFingers Newcomer 4 posts since
Nov 29, 2006
Currently Being Moderated

Apr 21, 2010 9:54 AM

W32/Wecorl.a 0-day?

Our network has an ePO server pushing current DATs, SPs, for VirusScan Enterprise 8.7i SP3.  Windows WSUS server pushing current Windows updates.  Large numbers of machine suddenly began rebooting with DCOM server process launcher errors.  McAfee detects svchost.exe as infected with Wecorl.a

This virus/trojan is fairly old and should have been caught, unless some new exploit is able to drop it without McAfee Virus reacting to it.  Anyone else seeing this?

  • Tefty Newcomer 35 posts since
    Sep 3, 2008
    Currently Being Moderated
    1. Apr 21, 2010 10:10 AM (in response to CrazyFingers)
    Re: W32/Wecorl.a 0-day?

    Ditto, calling McAfee now as i have over 1000 instances of this.

     

    DAT was released 40 minutes ago and no release notes for it are posted yet.

     

    UPDATE 1 :- SvcHost is the affected file apparently and VSE has deleted something in relation to this, all my devices are now constantly in a reboot loop and no network comm's can be made to these in anyway, shape or form.

     

     

    Message was edited by: Andy Smith on 21/04/10 10:10:01 CDT
  • Newcomer 5 posts since
    Apr 21, 2010
    Currently Being Moderated
    2. Apr 21, 2010 10:08 AM (in response to Tefty)
    Re: W32/Wecorl.a 0-day?

    Same here.  I think it's a dat file issue.  We're on the phone right now.

  • patty.d00 Apprentice 56 posts since
    Jan 26, 2010
    Currently Being Moderated
    3. Apr 21, 2010 10:15 AM (in response to CrazyFingers)
    Re: W32/Wecorl.a 0-day?

    Same here..  Also on hold w/ support.  Anybody have any insite??

  • Newcomer 5 posts since
    Apr 21, 2010
    Currently Being Moderated
    4. Apr 21, 2010 10:35 AM (in response to Tefty)
    Re: W32/Wecorl.a 0-day?

    If you type shutdown -a in the cmd line, it will keep the PC from rebooting.  We stopped pushing the update and no one else has got it since.  This started just after we pushed the latest update.  Non of the PC's have any of the indications of infection associated with Wecorl.a.  It's taking forever to get Mcafee on the line so I assume they are getting bombarded with calls.

     

     

    Message was edited by: rastan01 on 4/21/10 10:35:43 AM CDT
  • patty.d00 Apprentice 56 posts since
    Jan 26, 2010
    Currently Being Moderated
    6. Apr 21, 2010 10:24 AM (in response to CrazyFingers)
    Re: W32/Wecorl.a 0-day?

    This is caused from a bad dat file.  Dat file 5958 is BAD.

  • Unblack Newcomer 61 posts since
    May 16, 2007
    Currently Being Moderated
    7. Apr 21, 2010 10:25 AM (in response to CrazyFingers)
    Re: W32/Wecorl.a 0-day?

    Same here!

    doing a servicecall

  • Newcomer 1 posts since
    Apr 21, 2010
    Currently Being Moderated
    8. Apr 21, 2010 10:32 AM (in response to CrazyFingers)
    Re: W32/Wecorl.a 0-day?

    Same here.

    Appears to delete svchost.exe which just made my test pc completly useless.

    Other department doesnt even have a test pc and they pushed it live... well done there.

     

    DAT 5958 W32/wecorl.a

  • Newcomer 5 posts since
    Apr 21, 2010
    Currently Being Moderated
    9. Apr 21, 2010 10:35 AM (in response to CrazyFingers)
    Re: W32/Wecorl.a 0-day?

    Same here Been on hold for 25 mins now

     

     

     

    Is there a way to rollback DATs on EPO 4.5?

     

     

    Message was edited by: jfwhite on 4/21/10 10:35:55 AM CDT
1 2 3 ... 20 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points