If you are using McAfee anti-virus products on Windows XP and sincerely auto updating virus definition files every day, you might not be reading this at all. Yesterday, a buggy update released by the manufacturer early in the day brought Windows XP machines worldwide to it’s knees. Although the update was available for only four hours before distribution was halted it was enough to cause widespread damage.
A report on Cnet reads,
The University of Michigan's medical school reported that 8,000 of its 25,000 computers crashed. Police in Lexington, Ky., resorted to hand-writing reports and turned off their patrol car terminals as a precaution. Some jails cancelled visitation, and Rhode Island hospitals turned away non-trauma patients at emergency rooms and postponed some elective surgeries.
Intel was also hit by McAfee's bungled update.
The buggy update made the anti-virus detection engine falsely identify SVCHOST.EXE, a vital and legitimate Windows component as a malware known as W32/Wecorl.a. Affected machines keeps restarting itself.
Today McAfee published two solution to their massive goof-up and also released a fix. The first solution involves applying the fix and moving the quarantined SVCHOST.EXE file back to it’s proper location. If the SVCHOST.EXE is deleted and could not be found, McAfee proposed a second solution where users have to get the file from an unaffected Windows XP machine.
Here is a simplified version of the proposed fix
1. Start Windows, click Start > Run, type CMD and hit Enter.
2. At the Command prompt type 'shutdown -a' without the quotes to abort the shutdown.
3. Open McAfee and disable Access Protection and On-Access Scanner
4. Download EXTRA.DAT (the fix) and unzip.
5. Copy Extra DAT into c:\program files\commonfiles\mcafee\engine
6. Pull up the VSE console and open “Quarantine manager“
7. Click on SVCHOST.EXE and select “Restore“
8. If SVCHOST.EXE is not found in Quarantine manager, locate an unaffected Windows XP computer and copy the file from C:\windows\ServicePackFiles\i386\svchost.exe or c:\windows\system32\dllcache\svchost.exe
9. Copy SVCHOST.EXE to c:\windows\system32 using an external media (USB, CD etc.)
10. Reboot computer
11. Use the product update to update to 5959
12. Delete the Extra DAT file in c:\program files\commonfiles\mcafee\engine