New worm triggers trash print jobs through patched PC
- — 03 July, 2012 12:35
Researchers at Symantec have discovered a second worm in as many weeks that is causing printers to spew garbage printouts.
The worm exploits the Windows print spooler service vulnerability (CVE 2010-2729). While the flaw is being used to infect unpatched machines, it is also causing devices with the relevant patch to submit print jobs containing garbled text. Symantec has labelled the worm W32.Printlove.
“Garbage printing is a side effect experienced by hosts who are patched against CVE 2010-2729 but are attacked by W32.Printlove,” said Symantec threat analyst Jeet Morparia.
Symantec has received “several customer issues about garbage being printed on their network printers,” according to Morparia.
The flaw, for which Microsoft issued a patch in 2010, allows any file transferred through the print spooler to be copied to any directory on a network.
The worm uses that flaw to infect unpatched PCs, however, when it reaches a patched PC, instead of writing files to any directory as it is intended to, it saves a .spl (print spooler) file to that machine’s print spooler directory.
The device will then print the .spl file on a printer that is shared with the infected machine, Morparia explained.
In early June, organisations in the US, India and Europe began reporting that networked printers were spewing “garbled” text and later that month Symantec pinned those incidents on the “Millicenso” trojan.
Like Printlove, the unwanted print jobs were a side effect, but in the case of the Millicenso trojan the print jobs were the result of its efforts to remain hidden from antivirus engines.
“If you have seen junk like this being printed, someone on your network might be infected with W32.Printlove,” explains Symantec threat analyst Jeet Morparia.
Image credit: Symantec.
Follow @CSO_Australia and sign up to the CSO Australia newsletter.
Get exclusive access to CSO, invitation only events, reports & analysis. 
