Unauthorized printing is becoming a nuisance as a computer worm propagates by exploiting a 2010 Windows vulnerability, according to security researchers from Symantec.
Companies have reported unauthorized printing incidents in recent weeks, prompting antivirus firms to investigate the possible causes.
On June 21, Symantec reported the rogue printouts were the result of computers suffering from the Trojan program called Trojan.Milicenso.
However, researchers have since determined the propagation routine of a separate piece of malware, a worm called W32.Printlove, can cause similar problems, Symantec researcher Jeet Morparia said Monday.
W32.Printlove infects other computers on the local network by exploiting a remote code execution vulnerability in the Microsoft Windows Print Spooler service patched in September 2010. Identified as CVE-2010-2729, Stuxnet also exploited this vulnerability.
The rogue printing behavior can occur when W32.Printlove unsuccessfully attempts to infect a Windows XP computer connected to a shared network printer.
The worm starts by sending a print request to a targeted computer specifically crafted to exploit the CVE-2010-2729 vulnerability. If the exploitation attempt is successful, a copy of the malware drops in the Windows system directory and then executes.
However, if the user patched the system against CVE-2010-2729, a copy of the worm ends up created in the computer’s printer spool directory — %SystemRoot%\system32\spool\printers — as a randomly named .spl (Windows Printer Spool) file.
The computer interprets the creation of this file as a new print job and instructs the network printer to print the file’s contents, therefore wasting paper and toner.
Because the worm periodically retries to infect a system, the rogue printing behavior will repeat until the user cleans up all network computers, Morparia said. “Tracking down the source of these junk print jobs can be more complicated when there are multiple infections on the network.”
Fortunately, the failed infection attempts leave behind .shd files in the printer spool directory that contain details about printing jobs, including the names of computers that initiated them. Administrators can inspect SHD files with a free tool called SPLViewer after shutting down the Print Spooler service, Morparia said.
The W32.Printlove worm might link to the previously reported Trojan.Milicenso, Morparia said. “We intend to continue our investigation to confirm any relationship between the two threats.”