Symantec has announced the discovery of a new worm, which launches “trash” print jobs. Symantec identifies the worm as W32.Printlove. This malware exploits a vulnerability in Microsoft Windows Print Spooler Service Remote Code Execution (CVE 2010-2729), which was discovered back in 2010.
The worm behave differently on computers with installed update for CVE 2010-2729 vulnerability and on without such update. Symantec Experts have tested this threat in a simple network of two computers and a network printer that is connected through the switch.
- Computer Configuration A: Windows XP Professional. The computer was updated with the CVE 2010-2729 patch and was infected with W32.Printlove. A local or network printer was not connected.
- Computer Configuration B: Windows XP Professional. In the first scenario, the computer runs without update, and in the second, it is updated. A network printer open for public access is connected.
Computer A must have permission to send print jobs to computer B. Guest access to shared printers in Windows XP is enabled by default; in newer operating systems, computer A must be authenticated by the computer B.
There are two scenarios in which the threat may work:
- W32.Printlove running on computer A will look for network print resources. When such discovered, it sends itself to computer B, using the StartDocPrinter query. The vulnerability of the print bufferallows for copying of whatever file a request transmitted to the printer to any folder. The malware successfully runs on your computer, taking advantage of this vulnerability.
- W32.Printlove running on computer A, behaves this way and passes its code to the computer B. Since computer B has the update, the worm can not exploit the vulnerability. The principle of the corrected vulnerability does not allow print queries to transfer files to any folder (that is printing to file). This prevents the worm from copying itself to the system directory and autostarting itself using the exploit. Instead, it is saved in the printer buffer folder on computer B as .spl-file. After that, computer B will start printing the file on a shared printer attached.
W32.Printlove retains the connection to a remote computer, and periodically tries to infect it using the vulnerability of the print buffer. Computers can be infected again, and there may be multiple “trash” printings that are sent from different computers until the worm is fully removed from the network. Tracking the source of unwanted prints can be much more complicated in the case of multiple infections present on the network. Network administrators can identify infected PCs looking for .shd-files in the printer buffer folder on the computer, which provides connection to a public printer.
SHD files are created by the operating system and contain detailed information about the request to the printer. To view them, you can use SPLViewer. Because the data files are used by the print buffer service, the service must be first stopped. Administrators are able to detect the compromised computer by the Computername field, which allows you to identify the source sending the print job. Trash printing is the side effect of eliminating CVE 2010-2729 vulnerabilities on a computers attacked by W32.Printlove.
According to experts, there might be a connection between Trojan.Milicenso and W32.Printlove, but at the moment it is not confirmed. A team of specialists in Symantec continues to investigate to determine the possible relationship of these two threats.