Around 9am I got to looking at a user’s machine which was being particularly obstinate. Nothing was working right – network access, file management, device connection, even login. A virus, I thought, and set about trying to figure out which one and how to counter it.
And thus was our whole day consumed, as one computer after another bit the dust. Classrooms cracked up, offices went offline, and faculty computers freaked out. Not all machines, just some of them. It was too widespread to be from a specific website; this had the mark of network distribution on it. It acted oddly for a virus, though, disabling the network cards and USB device drivers. Seldom does a virus cut off its own means of spreading.
Turned out it was network-distributed though. The campus virus-ninja came to investigate and found that svchost.exe (a vital Windows file) had been “zeroed out”, which meant it was just an empty file name with nothing in it.
Our network admin Pete Juvinall and our brilliant student tech Nick Friedel found out that the nefarious program in question was… (drumroll please) McAfee AntiVirus. That’s right, the program meant to protect the machine was damaging the machine. It’s a digital auto-immune disease; the latest .dat file mis-identified XPsp3 svchost.exe as a virus.
Pete was interviewed by AP and just got called by CBS Nightly News, so he’s famous. (MrsDoF says; “I bet he’d rather be rich.”) And here’s the thing: McAfee’s website, all the tech websites and forums were useless on this fast-breaking crisis. Nick and Pete found the answers on Twitter.
I hope Twitter can find a way to monetize its operations, because it is quickly becoming a global nervous system. A flu outbreak? The CDC can track it on Twitter. Terrorist attack? Get advance information on exactly what kind of attack to coordinate the response. Earthquake? Tweets actually move faster than S- and P- waves. Blackouts, food poisoning, apple Danish just out of the bakery oven, you name it, Twitter moves information about it. It can even help a network administrator in the MidWest become the celebrity hero of a… um, anti-virus attack.
- Read that AP article for some idea of the mayhem this caused in law enforcement, medicine, etc.
- Nick said he’d post his fix procedure on his website in the next hour or so.
- Briefly, the procedure is as follows: start up in safe mode, rename mcshield.exe to something else. Copy a good svchost.exe into your \windows\system32 directory. Restart. Start up McAfee Antivirus Console and either roll back or forward to get off .dat 5958. Restore the name of mcshield.exe and restart. It’s a miracle!
- Oh, and McAfee? Best you lay low for a while. We’re not happy with you.