Chinese PC users still contending with Symantec signature foul-up

Computerworld -

Millions of Chinese PCs running Symantec Corp. antivirus software have been incapacitated by a faulty virus signature distributed last week, government media reported Sunday.

A virus-signature update delivered automatically to users on Friday about 1:00 a.m. Beijing time to Symantec's antivirus scanning engine mistook two critical system files of the Simplified Chinese edition of Windows XP Service Pack 2 for a Trojan horse. The two files -- netapi32.dll and lsasrv.dll -- were falsely quarantined, which in turn crippled Windows. If an affected PC was rebooted, Windows failed on start-up and showed only a blue screen.

"The update of Norton's virus database on Friday has caused millions of PCs and computers to crash, a heavy blow to people's daily work and ongoing business," China's state-sponsored Xinhau News Agency said today (Sunday).

Other reports, which cited numbers as low as 7,000 affected PCs, also circulated in Chinese technology and mainstream media reports over the weekend, with crippled systems said to be concentrated in Beijing, Shanghai and Guangzhou province.

Symantec re-released a revised signature update around 2:30 p.m. Friday, Beijing time, but the fix was too late for any PC that had been rebooted in the intervening 13 and a half hours. Those now-worthless systems needed new copies of the two .dll files restored to the hard drive's "windowssystem32" directory.

China-based bloggers and pundits criticized the U.S. company for not clearly posting information about the problem, and worse, not linking to a solution for restoring computers from its support site. "You’d think if you accidentally killed a few hundred thousand PCs in China, you'd mention it on your website, hmm?, and put some links on how to recover from it," wrote a a South African expatriate living in Shanghai.

Symantec did post a support document on its Chinese-language Web site that outlined how to use the Windows XP installation CD to start the PC and use the Recovery Console, a command line-driven restore tool of last resort, to replace the quarantined netapi32.dll and lsasrv.dll with new copies. There was no notice of the update problem or the solution, however, on the site's front page, nor on the company's global home page, which is in English.

Recovery may be all but impossible for some users. Many PC makers now forgo installation or restore CDs and instead slap recovery files on the hard drive itself, often in a separate partition. In cases like these, users would have to obtain copies of the two .dll files from another, working PC.

That raises even more trouble, said Antony Ma, an IT audit manager at a Hong Kong bank. "[What] worries me the most is that people will try to download these [.dll] files on the Web in order to repair their computers," said Ma in a blog dated Monday, Hong Kong time. "The integrity of these files is in question if they do not come from an authenticated source. A malicious hacker may plant a virus or back door in these system files and offer them in discussion groups."