cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Re: Printer Virus?

I've tried the stinger from 6/10 with 6737 and it was unable to find a .dll believed to be related to this infection.  I do have a open case with McAfee support regarding this infection.  Also we were seeing detections on our print server for the .SPL files that were malicious on detection:  Generic.Tra!e864689c6897.  However in most recent infection we did not see this DAT cover the files.

Good luck everyone.

Re: Printer Virus?

It may make sense to block and provide reporting on the following addresses:

  • hxxp://storage1.static.itmages.ru
  • hxxp://storage5.static.itmages.ru

From Symantec's Site:

1. What is this threat?
Adware.Eorezo and Trojan.Milicenso along with threats that shows traits of each. As well as Packed.Generic.372  and Packed.Generic.371.
The ability to detect these files is based on the traits of the packer being used. But the threat classification or naming of the files is based on the dropper (the file that gets the threat there), and we will need to complete a full analysis of that before we can fully understand all the parts of this threat.

2. What is it doing?
Its downloading two types of files:
Payload - Adware.Eorezo and Trojan.Milicenso
Jpegs - used steganographically to provide commands to the payload

3. Where is it downloading from?
Jpegs are downloaded from
hxxp://storage1.static.itmages.ru
hxxp://storage5.static.itmages.ru

4. Why is it taking so long to create "complete" detection?
Each component of this threat is highly encrypted. The key for that encryption is different for each computer because it is based on
-    VolumeSerialNumber of the system volume.
-    Creation time of "c:\windows\system32" and "c:\System Volume Information"
This means that each individual machine will have a series of files that are unique at the byte level.

5.What is the latest detection available in certified definitions for this?
Certified definitions: 6/10/2012 rev. 17 seq 135100 (these have updated, but not the most up to date detection)

6. How do I get the most up to date definitions?
Detections are being added to Rapid release defs every 5 or 6 hours as we fine tune are coverage.

7. Suggested actions

  • Update with current RR defs
  • Find undetected infected machines
    • Use printer logs to determine infected machines
    • Use firewall logs to determine machines that  are connecting to:
      • hxxp://storage1.static.itmages.ru
      • hxxp://storage5.static.itmages.ru
  • Submit undetected files. - The more samples we have the more we can be sure we are picking it all up.

More info to come as we continue to work this issue

Source:  http://www.symantec.com/connect/forums/print-server-gone-wild

Re: Printer Virus?

ccalaf
Level 7
Report Inappropriate Content
Message 54 of 54

Re: Printer Virus?

Do we know how the virus communicates withthe printers? We had an incident with the same virus where a user becameinfected and sent print jobs to every printer in organization. This user isonly connected to one print server in one site but the jobs were sent to everyprinter in multiple sites. I am not sure how a user was able to send a printjob to a printer in another site unless he is connected to that printer server.It is as the virus scanned our network to look for print servers or printers.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community