SANS reports that the McAfee DAT 5958 Update misidentifies svchost.exe, a standard Windows file, as the W32/Wecorl.a virus.
This causes Windows XP SP3 systems to go into a reboot loop, lose all network access, and display the following message:
The file C:WINDOWS\system32\svchost.exe contains the W32/Wecorl.a Virus.
Undetermined clean error, OAS denied access and continued.
Detected using Scan engine version 5400.1158 DAT version 5958.0000.
For whatever reason, this hash value/signature causes a false positive. Is it possible that the hash value for this system file is the same as that of the virus? Or is it simply that the wrong signature was used? I’d be curious to know – especially if a virus has the same hash value as a Windows system file….
No related posts.
