Symantec researchers find second malware program recently affecting thousands of printers.
Following reports in June of a virus, identified as Trojan.Milicenso, causing printers in various different countries to print huge amounts of useless data and adverts, researchers at technology security firm Symantec have identified a second malware program which could also be causing similar rogue printing problems, reports PC Advisor.
The second virus, known as the W32.Printlove worm, is said to have a propagation routine which can also cause sudden printing of useless data, and spreads between computers on local networks by “exploiting a remote code execution vulnerability in the Microsoft Windows Spooler service”.
The malware starts by “sending a print request to a targeted computer that is specifically crafted to exploit the CVE-2010-2729 vulnerability”. If successful, the malware is copied, dropped in the Windows system directory and then executed. If unsuccessful, the malware is copied into the computer’s printer spool directory, which the computer then interprets as a new print job and consequently prints the file’s contents.
As the worm repeatedly tries to infect the computer system, rogue printing continues until all computers on the network are cleared.
Jeet Morparia, Researcher at Symatec explained “Tracking down the source of these junk print jobs can be more complicated when there are multiple infections on the network.” However, he added that failed attempts at infecting the system leave behind .shd files in the printer spool directory containing details about the printing jobs, while administrators are able to inspect SHD files with SPLViewer after shutting down the Print Spooler Service.
Morparia also assured that Symatec would “continue [its] investigation to confirm any relationship between the two threats [Trojan.Milicenso and W32.Printlove].” Printers have been affected worldwide, by the virus’, with the US and India being worst affected.