From: mike 


http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9
019958

===
A signature update to Symantec's anti-virus software crippled thousands of
Chinese PCs Friday when the security software took two critical Windows
.dll files for malware.

According to numerous blog entries from Chinese computer users, a virus
signature database seeded yesterday mistook two system files of a Chinese
edition of Windows XP SP2 as a Trojan horse which Symantec dubs
"Backdoor.Haxdoor." The anti-virus software -- Norton AntiVirus,
for example, or the anti-virus component of the Norton 360 or Norton
Internet Security suites -- then quarantined the netapi32.dll and
lsasrv.dll files.

"With these files removed, Windows XP will no longer start up, and
even the system Safe Mode no longer functions," said one user writing
to the alt.comp.anti-virus newsgroup this morning.

Late Friday, China time, the Chinese Internet Security Response Team
(CISRT) posted an alert on its English-language blog. "It's a terrible
day for lots of Chinese users (especially Enterprise Users) who use Norton
products today," CISRT said. "This issue has made a huge
effection to Chinese people." Other reports claimed that more than
7,000 users had already contacted Rising Antivirus, a Chinese security
company, asked for help on how they could recover their PCs. On Rising's
home page, its threat gauge was rated at red late Friday, the highest
ranking this year.

In an e-mailed statement, Symantec acknowledged the signature update bug
and said it re-released a new update late Thursday, U.S. time. The
Cupertino, Calif.-based security vendor also said that only Simplified
Chinese versions of Windows XP SP2 that have been patched with a Microsoft
fix from November 2006 were impacted.

If the PC hasn't been rebooted, users can grab the revised signature update
to fix the problem, said Symantec. But if Windows was restarted after the
flawed update, the user has a much harder row to hoe. Because the bad
signature update removed the two .dll files, Windows won't boot
-- it ends in a Blue Screen of Death, said CISRT -- and so there's no
way to retrieve the new signature or to restore from a backup.

"Customers impacted by this issue following reboot of an affected
system can return their system(s) to the previous state through use of the
Windows recovery console," Symantec said. XP's recovery console is a
command line-driven tool that gives limited access to the PC and its hard
drive. Users writing on online forums recommended users copy the two .dll
files from their Windows restore CD to the hard drive.

A likely snafu in that scenario, however, is that many Chinese users don't
have a restore CD because they're running pirated copies of Windows.

"Norton this time has made a very serious mistake," the
Chinese-language Sogou news site said [translation by Babelfish -- eds.].

"All the main news channel in China has reported this since 6 in the
morning ECT +8, but symantec keeps silence," someone identified as
"Ink" said on the Wilders Security Forum.

Other anti-virus companies have gone through similar fiascos. In March,
users blamed Microsoft Corp.'s Windows Live OneCare for deleting Outlook
e-mail files, although the company denied that the security service was at
fault. More than two years ago, Trend Micro Inc. distributed a flawed virus
definition file that slowed thousands of PCs to a crawl. Three months
later, the anti-virus vendor said that the incident had run up
$8.2 million in direct costs to the company.
===

 /m

--- BBBS/NT v4.01 Flag-5