We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
79,818 News Articles

Malware infection forces printers to print garbled data, researchers say

New Trojan.Milicenso variants can cause printers to print an executable file

Printers connected to Windows computers infected with new variants of a malware program called Trojan.Milicenso, will automatically print out pages full of garbled data, according to security researchers from antivirus firm Symantec.

On June 9, the SANS Internet Storm Center (ISC) reported about recently observed print bomb attacks that involved printers automatically printing what seemed to be the contents of an executable file.

The SANS ISC's experts obtained a copy of the printed file and determined that it was a part of an adware program -- a program designed to display ads without authorization -- detected by some antivirus products as Adware.Eorezo.

Security researchers from Symantec also investigated reports of unauthorized printouts and found that the Adware.Eorezo file was being dropped on affected computers by new variants of Trojan.Milicenso.

Trojan.Milicenso first appeared in 2010, but a new outbreak has been recorded during the past two weeks, Symantec's security response team said in a blog post on Thursday. "Our telemetry data has shown the worst hit regions were the US and India followed by regions in Europe and South America."

The Symantec researchers believe that Adware.Eorezo, which redirects users to French-language website, is being used by Trojan.Milicenso as a decoy to distract attention from itself.

Trojan.Milicenso is distributed in several ways: as a malicious email attachment, as a drive-by download launched from compromised websites or as a fake codec advertised by social engineering scams, the Symantec researchers said.

After it infects a computer, the malware drops a copy of Aware.Eorezo as a randomly named .spl file (Windows Printer Spool File) in the default Windows printer spool directory -- %SystemRoot%\system32\spool\printers. Despite the .spl extension, the rogue file is actually an executable one.

The spool directory temporarily holds copies of files that printers are scheduled to print. Even though some printers allow users to specify a custom spool directory, many configurations use the default Windows one.

This causes printers attached to computers infected with new Trojan.Milicenso variants to automatically print the contents of the rogue .spl file, sometimes until their paper runs out.

"Based on what we have discovered so far, the garbled printouts appear to be a side effect of the infection vector rather an intentional goal of the author," the Symantec researchers said.

On Thursday, researchers from SANS ISC discovered a new variant of this Trojan program with a very reduced antivirus detection rate, suggesting that the

Users who observe this type of unauthorized printer behavior are advised to scan their computers with an antivirus program capable of detecting and removing Trojan.Milicenso and Aware.Eorezo.


IDG UK Sites

45 Best Android games: top Android games for your smartphone or tablet in 2014 (24 are free!)

IDG UK Sites

How Apple, Adobe, Microsoft and others have let us down over UltraHD and hiDPI screens

IDG UK Sites

Do you have the X-Factor too? Mix Off app puts fans in the frame

IDG UK Sites

iPad Pro release date, rumours and leaked images - 12.9 screen 'coming in 2015'