McAfee veröffentlichte gestern eine neue Antivirus-Signaturdatei DAT 5958, welche auf englischen Windows XP SP3-PCs einen W32/Wecorl.a 0-day Angriff entdeckt. Ursächlich ist ein aggressiver heuristischer Hauptspeicherscan nach Mutationen der Wecorl-Malware. Im Ergebnis wird svchost.exe als potentieller Verursacher erkannt und - je nach Konfiguration der Software - eliminiert.

Weitere Infos (dt.) findet Ihr auf .: Daniel Melanchthon :. : McAfee DAT Version 5958 False Positive bei Windows XP SP3 oder in der Mail unten.


What is the purpose of this alert?
Microsoft has been made aware of an issue with a McAfee DAT file update - released Wednesday, April 21, 2010 - that has been causing stability issues on Windows XP client systems. The symptom is caused by a false-positive detection on a core Windows file (svchost.exe). Once the file is quarantined by McAfee, the system may encounter one of the following symptoms:

* The computer shuts down when a DCOM error or a RPC error occurs
* The computer continues to run without network connectivity.
* The computer triggers a Bugcheck (Blue Screen).

The DAT file version that that caused the problem is McAfee DAT 5958. This file was propagated to client machines that conduct automatic updates of definition files. McAfee updated the DAT file soon after the problem was identified with a new version that does not cause the problem.

Resolution Steps

Please review the following KB Articles for specific steps to resolve the issue on systems that are affected.

McAfee KB Article:

Microsoft KB Article:
McAfee delivers a false-positive detection of the W32/wecorl.a virus when version 5958 of the DAT file is used


We recommend customers affected by this symptom first review the McAfee KB Article referenced above. For further assistance, customers should contact McAfee. Customers who are unable to resolve the issue through these means can contact Microsoft for technical support using resources found on this Web page: Microsoft Support.

Regarding Information Consistency

We strive to provide you with accurate information in static (this mail) and dynamic (Web-based) content. Microsoft's security content posted to the Web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft's Web-based security content, the information in Microsoft's Web-based security content is authoritative.

Thank you,
Microsoft CSS Security Team