Computerworld - Last week, I started getting a daily pop-up message alerting me that our antivirus software had discovered the file winllogo.exe in my default directory. A little research told me why the antivirus software was flagging winllogo.exe: It’s the file dropped onto a system infected by the PRSKEY vulnerability. But I still didn’t know why this was happening repeatedly.
PRSKEY is a fairly old spyware worm that we had the pleasure of dealing with back in 2005. After this worm infects a system, it sits in the background waiting for the user to enter his username and password in either the somewhat popular video game Priston Tale or a Yahoo Web mail account. Once the user does that, a keystroke logger kicks in and begins capturing user keystrokes, including usernames and passwords.
Supposedly, this worm will eventually send this information to a listening Web site. To avoid that, we have placed filters within our NetCache security devices (formerly made by Network Appliance Inc., which sold the NetCache business to Blue Coat Systems Inc. this year) to prevent our Web traffic from reaching such sites. In August 2005, we had a serious problem with this pest infiltrating our environment, and I had to spend many hours managing the incident response. I wasn’t happy to see it rear its ugly head again.
The antivirus software was quashing the spyware when it landed on my machine — that’s why I got the daily pop-up telling me about the incident. But why was it recurring? I got my first clue when I attended the daily operational status meeting. This forum, which usually lasts a brisk 30 minutes or so, is actually one of the more useful meetings I attend. Typically, the data center operations manager goes over outages that might have occurred in the 24 hours since the last meeting, and we review pending change tickets and other operational activities that are either planned or being executed. The help desk also provides statistics on how many calls it received in the past 24 hours.
Last week, the help desk opened several tickets on reports of virus-infected machines. The ticket volume started out fairly low, but as days passed, it rose exponentially. It soon became clear that none of these machines was actually infected by a virus; rather, our antivirus client, Trend Micro Office Scan, had done its job, just as it had done with my PC. Users got pop-up messages about winllogo.exe, and they reported that as an incident. That’s just as it should be, and all those reports were helpful, even if they were about machines that weren’t actually infected.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
