Same issue here effecting muitple sites with printers that were not orginally installed on the infected PC, did a bit of search on google and only found info on a Virus called BugBear. we are currenly running a mcafee bugbear removal tool on effect PC.
Itsupport, I altered your user name from your email address for your protection. For everyone here is a link to the McAfee BugBear Removal Tool: http://home.mcafee.com/virusinfo/specialvirusremovaltool.aspx?viruskey=bugbear
if needed although from the description I'm not sure that's the exact remedy.Message was edited by: Ex_Brit on 08/06/12 8:02:59 EDT AM
We've just been hit with this as well. Just one user workstation as far as we can tell so far. It's not clear yet exactly what is affected, but I have noticed a hidden .dll file in the affected user's docs and settings\application data folder. If we work out more, I'll post back here. Anyone else got more info on this one?
To follow on from Raj909's post regarding it being mentioned on SANS, I can confirm that the affected machine on our network did indeed have single digit name REG_BINARY entries in HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings.
It also drops an entry with what looks like random characters for a name in to HKCU\Software\Microsoft\Windows\CurrentVersion\Run which runs the .dll file which is dropped in the users' Application Data folder. eg-
vjdg REG_SZ rundll32 "C:\Documents and settings\<user>\Application Data\netui0p.dll", QJNDKZXSBMessage was edited by: mrussell77 on 08/06/12 08:02:07 CDT
Had this problem with 4 of our customers in last 2 days. This virus is not the bugbear.B or .A virus, removal tools for this do not work (in our cases). What dit work is checking witch user(s) is sending the files to the printer. Then check the pc he uses for cheduled tasks c:\windows\tasks there will be a task with a strange random name who runs a strange dll file. thats the one. Disable it, delete and its fixed!
We saw this from one computer this morning as I arrived from work. Removing the computer form the network stopped the printer storm, but as of yet have not been able to find anything in any areas mentioned so far. No hidden tasks, Reg key mentioned clear with no indication of infection. No rootkits that I can detect or funny hidden files. Just for kicks ran bugbear scanner and nothing...
I take back my preivous post...
I do see the single digit binaries now and the dll in C:\Documents and settings\<user>\Application Data
I could only see these when logged in as the user.
I have the same problem. I am using symante antivirus and detected in the printer server , a files infected with
Trojan.Milicenso in the queue directory. The machine who sent a lot of bomb print don't detect nothing. I run adware but not detect nothing.