Symantec false positive cripples thousands of Chinese PCs

Virus signature update mistakes critical Windows files for malware

A signature update to Symantec Corp.'s antivirus software crippled thousands of Chinese PCs Friday when the security software mistook two critical Windows .dll files for malware.

According to numerous blog entries from Chinese computer users, a virus-signature database seeded yesterday mistook two system files of a Chinese edition of Windows XP Service Pack 2 as a Trojan horse that Symantec dubbed "Backdoor.Haxdoor." The antivirus software -- Norton AntiVirus, for example, or the antivirus component of the Norton 360 or Norton Internet Security suites -- then quarantined the netapi32.dll and lsasrv.dll files.

"With these files removed, Windows XP will no longer start up, and even the system Safe Mode no longer functions," said one user writing to the Alt.comp.anti-virus newsgroup this morning.

Late Friday, China time, the Chinese Internet Security Response Team (CISRT) posted an alert on its English-language blog. "It's a terrible day for lots of Chinese users (especially Enterprise Users) who use Norton products today," CISRT said. Other reports claimed that more than 7,000 users had already contacted Rising Antivirus International Pty, asked for help on how they could recover their PCs. On the Chinese security company's home page, its threat gauge was rated at red late Friday, the highest ranking this year.

In an e-mailed statement, Symantec acknowledged the signature update bug and said it re-released a new update late Thursday, U.S. time. The Cupertino, Calif.-based security vendor also said that only Simplified Chinese versions of Windows XP SP2 that have been patched with a Microsoft Corp. fix from November 2006 were affected.

If the PC hasn't been rebooted, users can grab the revised signature update to fix the problem, said Symantec. But if Windows was restarted after the flawed update, the user will have a much harder row to hoe. Because the bad signature update removed the two .dll files, Windows won't boot -- it ends in a so-called blue screen of death, said CISRT -- and so there's no way to retrieve the new signature or to restore from a backup.

"Customers impacted by this issue following reboot of an affected system can return their system(s) to the previous state through use of the Windows recovery console," Symantec said. XP's recovery console is a command-line-driven tool that gives limited access to the PC and its hard drive. Users writing on online forums recommended that users copy the two .dll files from their Windows restore CD to the hard drive.

A likely snafu in that scenario, however, is that many Chinese users don't have a restore CD because they're running pirated copies of Windows.

"Norton this time has made a very serious mistake," the Chinese-language Sogou news site said [translation by Babelfish -- eds.].

"All the main news channel in China has reported this since 6 in the morning ECT +8, but symantec keeps silence," someone identified as "Ink" said on the Wilders Security Forum.

Other antivirus companies have gone through similar fiascos. In March, users blamed Microsoft's Windows Live OneCare for deleting Outlook e-mail files, although the company denied that the security service was at fault. More than two years ago, Trend Micro Inc. distributed a flawed virus-definition file that slowed thousands of PCs to a crawl. Three months later, the antivirus vendor said that the incident had run up $8.2 million in direct costs to the company.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon