What is the faulty Mcafee Virus definition file doing to Windows XP machines?”
Twitter has been buzzing with the news this afternoon that McAfee updates were shutting down XP PCs, and we’ve heard that California sent out an email to state workers a little while ago warning them of the problem. Also apparently affected: the University of Illinois at Urbana-Champaign, over 100,000 computers serviced by a UK IT firm, and presumably countless others based on the reports that keep coming in. According to Engadget: “DAT update 5958 deletes the svchost.exe file, which then triggers a false-positive in McAfee itself and sets off a chain of uncontrolled restarts and loss of networking functionality.” There’s also, apparently, a fix (unconfirmed) according to Twitter user scratchfury: boot to safe mode, rename mcshield.exe, reboot, run Virus Console, pick Tools -> Rollback DAT, name back to mcshield, reboot That fix, though, as commenter Denver80203 points out below, only prevents you from getting nailed. Once your computer has been hit, things get a lot more complicated.
The Windows Vista console IME was incorrectly tagged by McAfee’s security products as Trojan PWS-LegMir due to a faulty definitions file. The false positive was corrected in a later definitions update. The 5409 DAT files released on October 20, 2008 contained a bad signature that falsely detected a legit Windows Vista component as malware. Due to the faulty signatures, the McAfee products quarantined or completely deleted the conime.exe (Windows Vista console IME) file, which they generically detected as belonging to the PWS-LegMir Trojan. McAfee explains that the false positive resulted because that particular definition is designed to generically detect multiple Trojan-type malicious applications that steal passwords. “This includes trojans written in multiple HLLs, including MSVC, MSVB and Delphi,” claims McAfee. The name of the PWS-LegMir.gen or PWS-LegMir.gen.b comes from the fact that in addition to stealing password from various locations on the system, the trojans which are det
