I feel pretty bad for those people running the Chinese version of Windows XP SP2 along with Norton Antivirus. It appears that last Friday around 1:00AM Beijing time Symantec updated Norton’s antivirus definitions which flagged two system files, netapi32.dll and lsasrv.dll, as “Backdoor.Haxdoor” trojans.
If the user restarted the computer after receiving the update they are going to have a fun time recovering those two files. After the computer restarts users will be prompted with a Blue Screen of Death (BSoD), and trying to boot into safe mode won’t do them any good. Symantec has posted instructions (translated to English) on using the Windows XP recovery console to restore those two files from the installation CD.
Those people who didn’t restart their computers after the updated definitions are much more fortunate. Symantec released a corrected version of their definitions that same day at 2:30PM Beijing time, and if you update the definitions to the latest version it should counteract the effects.
The number of computers affected has been reported to be between 7,000 and several hundred thousand. It has caused that much damage, and yet Symantec has nothing posted on their front page about the event. The only article they have regarding the situation is for the instructions (posted above) and is only in Chinese.
There is another sticky situation to be talked about now, and that is what people will do who are running pirated copies of Windows XP. They probably don’t have the installation CD anymore, which means they will look for the files online to download them. This could be extremely bad because they may end up downloading files that contain viruses themselves, which would just result in an even larger mess.
Symantec definitely took the wrong approach on this. In my opinion they should have done many things differently:
- Updated their virus definitions sooner than 13–hours later after the destructive update was released.
- Have a nice big link on their homepage so that people looking to solve the problem can easily locate the solution.
- Finally, they should offer some sort of downloadable patch that users can put on a floppy disc or CD. Then they could boot-up the utility on their computer, press a button, and it will automatically copy the two needed files over to the proper location. That way Symantec can verify that the two files being used are legitimate, and that the proper steps are being taken to correct the issue.
All I can say is…what a mess!