Hi Michael
We are seeing this issue globally right now and have been working on it for several days. Its a multi-part attack that we started picking up as Trojan.Milicenso and Adware.Gen. Then Trojan.ADH.2 and for now at least Adware.Eorezo.
I put together this quick FAQ but it is not a finished work as we are still very much in the middle of this investigation.
1-What is happening?
Adware.Eorezo is being written into the printer spooler directory and some printer programs are set to print anything in this directory, including the binary in the form of ASCII characters. This was likely an unintended side effect.
The Adware is being dropped into this directory by a new varriant of Trojan.Vundo (running as a hidden scheduled task) that uses client specific encryption to evade detection.
2-What exactly is this, W32.Bugbear@mm?
We are still working out all the details but we can say this is not W32.Bugbear. The files that are residing in the printer directory are an adware downloader, and the adware itself. The third file is a dll written to be a downloader and ran from a scheduled task. This appears to resemble the Trojan.Vundo family.
3-How dangerous is it? And why is it different than any other malicious code?
There is nothing to indicate that this is dangerous. It’s mostly just annoying and wasteful. Very wasteful. That said, the files are heavily encrypted and we may learn that the threat they represent is larger than we can initially see, once the analysis is complete.
4-What is its purpose? Blow up a reactor?
NO. Everything we have seen so far says this is buggy adware.
5- Who created it? And when?
No information yet
6-Which countries are affected?
There is no indication that this is a targeted attack.
7-Are we detecting it now?
Some, if not most of it is being detected with current Rapid Release defs and certified later today. We are working at increasing our coverage to take on the heavy encryption, so that we can pick it all up.
Hope this helps.. more to follow.