Over the last few weeks, I’ve seen reports of companies having their print server paper trays emptied by huge print jobs that produce endless pages of gibberish. Symantec believes it’s identified the culprit as a piece of malware called Trojan.Milicenso – which was originally identified back in 2010.
Trojan.Milicenso, which targets Windows-based systems, is typically spread through the usual means: email attachments, infected ads and fake codecs.
We originally encountered Trojan.Milicenso in 2010 and our initial investigation had shown that this was basically a malware delivery vehicle for hire. The payload that is most commonly associated with this latest version is Adware.Eorezo; an adware targeting French speaking users.
Symantec believes that the massive print jobs are an unintended side effect of the infection vector, which makes sense. Performing an action that draws attention so obviously would probably not be in the authors’ best interests:
After all this, you may be wondering what makes this threat a paper salesman’s dream come true, and here’s why. During the infection phase, a .spl file is created in [DRIVE_LETTER]system32SpoolPRINTERS[RANDOM].spl. Note the Windows’ default print spooler directory is %System%spoolprinters.
The .spl file, while appearing to be a common printer spool file, is actually an executable file and is detected as Adware.Eorezo. Depending on the configuration, any files, including binary files, created in that folder will trigger print jobs. This explains the reports of unwanted printouts observed in some compromised environments. Based on what we have discovered so far, the garbled printouts appear to be a side effect of the infection vector rather an intentional goal of the author.
At this stage, infections have, for the most part, been limited to the U.S. and India, but with fresh detections in the United Kingdom, France, Germany and Brazil, there is a possibility that it could start to become more of a problem. So keep your eyes on those paper trays.