W32/Wecorl.a Virus is False Positive – McAfee

Some Windows XP users with updated computer security patches and running McAfee Virus Scan Enterprise claimed that their systems have just been hit with what seems to be a massive infection of a new variant of the W32.wecorl.a virus.

When the users boot up and log in, they get a notice from McAfee that an infection was detected and the system shuts down and reboots. The W32/Wecorl.a is false positive which occurs when you think you have a specific vulnerability in your program, but in fact you don’t. Some security scanners scan an application and attempt to find vulnerability. Sometimes the signatures make mistakes and report a vulnerability that may not exist.

What to do?

McAfee said that they are aware of a W32/Wecorl.a false positive with the 5958 DAT file released on April 21, 2010. To stop the false positive from occurring, users have to download this extra.dat file.

If you downloaded the extra.data file and still encountering the false positive, just leave a comment below so we can contact McAfee. Stay tuned for more updates!

Update 1: via McAfee Corporate KnowledgeBase ID KB68780


Blue screen or DCOM error (dcom server process launcher terminated unexpectedly), followed by shutdown messages after updating to the 5958 DAT on April 21, 2010.


WARNING: If you have not done so already, do NOT download the 5958 DAT and disable all automatic pull and update tasks.

Workaround 1:

McAfee has developed an EXTRA.DAT to suppress this detection. The file can be downloaded here. This EXTRA.DAT does not fix the issue, it only suppresses the detection.

Apply the EXTRA.DAT to all potentially affected systems as soon as possible.

For systems that have already encountered this issue, start the computer in Safe Mode and apply the EXTRA.DAT. After applying the EXTRA.DAT, restore the affected files from Quarantine.

To apply the EXTRA.DAT locally:

IMPORTANT: For VirusScan Enterprise 8.5i and later, an Access Protection feature must be temporarily disabled before proceeding. For instructions on how to temporarily disable Access Protection in the VirusScan Console, see KB52204.

To apply the EXTRA.DAT locally:

1. Download the EXTRA.ZIP file here and extract the EXTRA.DAT file.
2. Click Start, Run, type services.msc and click OK.
3. Right-click the McAfee McShield service and select Stop.
4. Copy the EXTRA.DAT file to the following location:

\Program Files\Common Files\McAfee\Engine

5. In the Services window, right-click McAfee McShield and select Start.

For instructions on how to deploy the EXTRA.DAT through ePolicy Orchestrator (ePO), see:

* ePO 4.0 – KB52977
* ePO 4.5 – KB67602

To restore files from Quarantine locally:

1. Open the VirusScan Console.
2. Double-click Quarantine Manager Policy.
3. Click the Manager tab.
4. Right-click the required item and select Restore.

For additional information, see the VirusScan Enterprise Product Guide for your version of VirusScan Enterprise.

For instructions on how to use an ePolicy Orchestrator Scheduled task to restore quarantined files, see the ePolicy Orchstrator Product Guide.

If the fix above work for you, just leave a comment below.

Update 2:

Some said (via Engadget) that the McAfee official fix released only helps those who haven’t been hit with the bug yet, so there’s obviously still issues to be sorted out. We’ll keep you updated.

If you are new here, you can subscribe either by E-mail or by RSS Feeds. Follow me also on Twitter.

Bert Padilla

Founding-Editor of Cebu Tech Blogger where he shares insights in eCommerce, Digital Marketing, Ad Ops, Tech, Startups, Technopreneurship, Life Goals and Hacks. He's the brainchild and ninja of a Cebu-based digital agency, TekWorx.Digital, with ventures TekWorx, (eCommerce and Digital Marketing), AdWorx (Outsourced Ad Ops for Publishers) and BlogWorx (full-fledged Blog Development service). Read his Full Curriculum Vitae. For training and consultancy, services, speaking engagements, blog partnerships or media invites, click here. Alternatively, get in touch with him on Messenger.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close Menu