Malware is causing network printers to print random ASCII characters

Article:TECH190982  |  Created: 2012-06-14  |  Updated: 2012-07-30  |  Article URL http://www.symantec.com/docs/TECH190982
Article Type
Technical Solution


Subject

Issue



A threat is saving files into the printer spooler directory - certain printer applications are set to print any files appearing in this directory, including the binary in the form of ASCII characters. This situation may be overwhelming printers, rendering them unusable, and impacting business operations. The printing of random binary data is likely a unintended side effect of the threat.

 


Solution



The malware files causing this behavior are currently detected by Symantec products using the latest definitions as:

 

There are three components involved in this incident: a dropper and two dropped files (one exe and dll). Dropper files are covered by Packed.Generic.372 while dropped files are detected as Adware.Eorezo, Trojan.Milicenso and Packed.Generic.371.

In addition certain traffic associated with the threat may be blocked via generic IPS detections already in place.

 

If similar problems are encountered that appear related to this threat, but that are not currently detected, please work with Technical Support to submit any additional samples to the Symantec Security Response team for analysis.

 

Examples of how the threat may appear where the issue is present:

(screenshot of the Printer queue status)

 

(example of a binary file printed by the threat)

 

Technical details:

This is a complex malware and each component of the threat is highly encrypted. They key for that encryption is different for each computer because it is based on:

  • VolumeSerialNumber of the system volume
  • Creation time of "c:\windows\system32" and "c:\System Volume Information"

This means that each individual machine will have a series of files that are unique at the byte level.

 

The threat may attempt to contact the following domains:

  • hxxp://storage1.static.itmages.ru
  • hxxp://storage5.static.itmages.ru

 

These domains may be blocked if unnecessary for business operations. Additional recommendations are available in each threat writeup linked above.

 

The Windows print spooler folder is typically located at:

  • c:\Windows\System32\spool



The threat may be delivered to machines via an email containing an attachment or link, or via a file downloaded from the Internet. There are no indications currently that this is a targeted attack against specific companies.

 




Article URL http://www.symantec.com/docs/TECH190982


Terms of use for this information are found in Legal Notices