What threat was McAfee trying to detect that resulted in a false positive error?
McAfee added detection for variants of the W32/Wecorl.a threat in DAT file 5958. This detection caused a false positive on the svchost.exe Windows system file. The threat parasitically patches the svchost.exe file by modifying data at the entry point or the entry point itself of the original file, to maintain control on the system. In some instances the patch has been found to be polymorphic in nature. McAfee had observed prior infected versions of svchost.exe files and had detection for this threat. This specific detection was added to target a cluster of infected svchost.exe files gathered through our malware collections, directly associated with samples from the W32/Wecorl.a families. The false positive occurred as a result of new signatures targeting new variants of the Wecorl family of malware when invoked on the file svchost.exe as a part of the memory scanning process. Details of this threat family can be found here: http://vil.nai.com/vil/content/v_153184.htm. Enhanced drivers
