Defective McAfee update causes worldwide meltdown of XP PCs

At 6AM today, McAfee released an update to its antivirus definitions for corporate customers which had a slight problem. And that slight problem makes PC useless until manual repair.


Here’s how the SANS Internet Storm Center describes the screw-up:

McAfee’s “DAT” file version 5958 is causing widespread problems with Windows XP SP3. The affected systems will enter a reboot loop and [lose] all network access. We have individual reports of other versions of Windows being affected as well. However, only particular configurations of these versions appear affected. The bad DAT file may infect individual workstations as well as workstations connected to a domain. The use of “ePolicyOrchestrator”, which is used to update virus definitions across a network, appears to have [led] to a faster spread of the bad DAT file. The ePolicyOrchestrator is used to update “DAT” files throughout enterprises. It can not be used to undo this bad signature because affected system will lose network connectivity.
The problem is a false positive which identifies a regular Windows binary, “svchost.exe”, as “W32/Wecorl.a”, a virus.

McAfee now has its own KnowledgeBase page posted, with details about the problem and the fix. The symptoms are described, tersely, as “Blue screen or DCOM error, followed by shutdown messages after updating to the 5958 DAT on April 21, 2010.”