Millions of Chinese Hit by Symantec Foul-Up

Millions of Chinese PCs running Symantec Corp. antivirus software have been incapacitated by a faulty virus signature distributed last week, government media reported Sunday.

A virus-signature update delivered automatically to users on Friday about 1:00 a.m. Beijing time to Symantec's antivirus scanning engine mistook two critical system files of the Simplified Chinese edition of Windows XP Service Pack 2 for a Trojan horse. The two files -- netapi32.dll and lsasrv.dll -- were falsely quarantined, which in turn crippled Windows. If an affected PC was rebooted, Windows failed on start-up and showed only a blue screen.

"The update of Norton's virus database on Friday has caused millions of PCs and computers to crash, a heavy blow to people's daily work and ongoing business," China's state-sponsored Xinhau News Agency said Sunday.

Other reports, which cited numbers as low as 7,000 affected PCs, also circulated in Chinese technology and mainstream media reports over the weekend, with crippled systems said to be concentrated in Beijing, Shanghai and Guangzhou province.

Symantec re-released a revised signature update around 2:30 p.m. Friday, Beijing time, but the fix was too late for any PC that had been rebooted in the intervening 13 and a half hours. Those now-worthless systems needed new copies of the two .dll files restored to the hard drive's "windows\system32" directory.

China-based bloggers and pundits criticized the U.S. company for not clearly posting information about the problem, and worse, not linking to a solution for restoring computers from its support site. "You'd think if you accidentally killed a few hundred thousand PCs in China, you'd mention it on your website, hmm?, and put some links on how to recover from it," wrote a a South African expatriate living in Shanghai.

Symantec did post a support document on its Chinese-language Web site that outlined how to use the Windows XP installation CD to start the PC and use the Recovery Console, a command line-driven restore tool of last resort, to replace the quarantined netapi32.dll and lsasrv.dll with new copies. There was no notice of the update problem or the solution, however, on the site's front page, nor on the company's global home page, which is in English.

Recovery may be all but impossible for some users. Many PC makers now forgo installation or restore CDs and instead slap recovery files on the hard drive itself, often in a separate partition. In cases like these, users would have to obtain copies of the two .dll files from another, working PC.

That raises even more trouble, said Antony Ma, an IT audit manager at a Hong Kong bank. "[What] worries me the most is that people will try to download these [.dll] files on the Web in order to repair their computers," said Ma in a blog dated Monday, Hong Kong time. "The integrity of these files is in question if they do not come from an authenticated source. A malicious hacker may plant a virus or back door in these system files and offer them in discussion groups."

Ma and others on message forums over the weekend took Symantec to task for publishing the buggy virus update. "There are actually two control points within the release process of a virus definition," said Ma. "The first one is the approval and verification process for adding a system file to their blacklist. System files are high- risk files since they impact the whole system, instead of a single application.

"The second is the testing of the definition before publishing," he said. "Does Symantec test all their definitions with all versions of OS?"

In the Chinese-language support document, Symantec blamed the false positive on an automated process used to develop signatures. Company spokespeople based in the U.S. and in Australia -- the company no longer has a press representative in China -- did not respond to e-mails sent Sunday asking for comment and explanation.

This isn't the first false positive for Symantec. As recently as March, the company's enterprise antivirus scanner fingered a Windows XP and Windows 2000 system file -- sfc.dll, which verifies the integrity of stored files -- as malware. Like the newest error, this false reading quarantined a crucial file, which paralyzed some PCs.

Subscribe to the Security Watch Newsletter

Comments