W32 Wecorl.a McAfee?

My company has just been hit with what seems to be a massive infection of a new variant of the W32.wecorl.a virus. I don't understand what happened today.

A large numbers of machines all of a sudden began rebooting with DCOM server process launcher errors. McAfee detects svchost.exe as infected with virus W32 Wecorl.a

Users boot up and log in then they get a notice from McAfee that an infection was detected and the system shuts down and reboots.

This virus/trojan is fairly old and should have been caught by McAfee, unless some new exploit is able to drop it without McAfee Virus reacting to it.

What is this W32 Wecorl.a virus, how did it bypass McAfee and how do I remove it?

asked by Tanner in Software | 3799 views | 04-21-2010 at 05:25 PM

Same thing happened to me. All the computers on our network are infected with the W32/Wecorl.a virus, an old and outdated virus that Mcafee should be able to kill no prob. I looked, and all the unaffected comps on the network are running old DAT releases.

Systems are primarily WinXP with up-to-date patches and running McAfee
Enterprise with updated Defs (at least to yesterday)

Is there a way to remove the W32 Wecorl.a virus? What's the fix?

answered by Nicholas | 04-21-2010 at 05:27 PM

Fix now is to roll back to previous version, which may be manual process for many.
This is the workaround for the W32 Wecorl.a virus.

If you are running McAfee and have an issue with your computer rebooting due to a DCOM crash and W32/Wecorl.a is reported on your machine then it is caused by a known issue with DAT 5958.

To solve this problem get the old superDAT from McAfee at http://www.mcafee.com/apps/downloads...ent=enterprise and run the file from the command prompt with a /F to force downgrade. That will work until McAfee fixes the issue.

answered by Douglas | 04-21-2010 at 05:29 PM

W32/Wecorl.a is a relatively old virus and should have been detected and disposed of properly by ViruScan without a hitch. In the McAfee communities site, users are reporting that a faulty version 5958 DAT file is causing the false positive.

answered by Axel | 04-21-2010 at 07:05 PM

McAfee is aware of a w32/wecorl.a false positive with the 5958 DAT file that was released on April 21, 2010.

--> https://kc.mcafee.com/corporate/inde...ent&id=KB68780

has anyone also have these problems and already knows how to fix it?:

copy paste cut move NOT possible (use total commander)
internet NOT working
some programs NOT working
sound NOT working
system restore not working
Safe Mode: the same...

happened after the reboot that the virus caused......

answered by HaX | 04-21-2010 at 09:01 PM

sorry for double posting

all the problems from the previous post will also be fixed
after following the instructions in the link from the previous post.

answered by HaX | 04-21-2010 at 09:58 PM

Also a simple rollback might help like Douglas said
Instead of downloading a old SuperDAT files you might wanna try:

VirusScan Console: > extra > rollback DAT's (or something like that)
not sure if it works but if it works you don't need to download the old file.

and the next time Mcafee will download the latest update (fix update) 5959

not sure if this method works but you can try it if you don't want to do all those manual steps provided in the link above.

Am i the only one with no reboot problems but with other problems like i said before?

answered by HaX | 04-22-2010 at 09:43 AM

Thread Tools
Similar Threads for: W32 Wecorl.a McAfee?
vBulletin® Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.