A Windows virus has been causing havoc – by making printers churn out page after page of nonsense.
The spike in activity from the virus – called Trojan.Milicenso – was spotted by security firm Symantec. The company says the malware sends constant print jobs to the printer, meaning page after page is printed out and keeps going until the machine runs out of paper.
It was first spotted back in 2010 and is described by Symantec as basically "malware delivery vehicle for hire." It has been spotted in the US and India primarily, with parts of South America and Europe also hit.
It infects computers through malicious email attachments or when a user visits an infected website, known as a drive-by download.
Making printers go crazy isn’t the malware’s primary goal. Symantec says that the virus is well encrypted so full analysis is difficult but it appears to redirect a user’s web traffic to serve up certain adverts. Symantec says the chain of redirects often leads to French language websites.
One side effect of this malware is that it inserts a .spl print spooling file into the network’s print queue.
"The .spl file, while appearing to be a common printer spool file, is actually an executable file and is detected as Adware.Eorezo," the Symantec blog explained. "Depending on the configuration, any files, including binary files, created in that folder will trigger print jobs."
"This explains the reports of unwanted printouts observed in some compromised environments. Based on what we have discovered so far, the garbled printouts appear to be a side effect of the infection vector rather an intentional goal of the author," the blog added.
One further interesting point about this piece of malware is that rather than hiding to avoid detection, it uses the adware capabilities to distract attention. "Most sandbox detection/check routines are used as a protection mechanism to enable a threat to hide itself or thwart analysis. However, in this case despite detecting the presence of a sandbox the threat, instead of ceasing all activity, actually performs certain specific activities, such as contacting sites," Symantec said.
"These actions are associated with Adware.Eorezo and it seems that it is using the adware as a decoy to distract attention from itself, thereby attempting to avoid malware analysis as this would categorise it as low risk and be dismissed," the blog added.
