Trojan.Milicenso: Attack of the Non-Stop Printing Printer Virus

A not-so-new Trojan is in our midst, and it's as unusual as these darned viruses can get. Trojan.Milicenso is one bug that environmentalists will hate, but it's also one that paper salesmen will love--provided their own computer isn't infected with it, that is.

This new Trojan has taken over the world's printers by storm, executing a code that will trigger the printer linked to your computer to print random gibberish until it runs out of paper.

The weird thing is, the printing has been identified by security researchers as a mere side effect of the Trojan. Milicenso has been around since 2010 and spreads via a number of channels: email, attachments, and site-hosted scripts.

Here's how it works: the Trojan creates an executable file that creates a number of .EXE and .DLL files in various locations once it's dropped. It then checks to see that it's not being run on a virtual machine or a sandbox.

What is really interesting here is that most sandbox detection/check routines are used as a protection mechanism to enable a threat to hide itself or thwart analysis. However, in this case despite detecting the presence of a sandbox the threat, instead of ceasing all activity, actually performs certain specific activities, such as contacting sites.

-- Symantec security researchers

The Trojan was primarily made to steal information from infected users' computers, and at one point, creates an .SPL file in the print spooler directory. This automatically lines up a job for your printer, which prints out the contents of the malicious files continuously.

Depending on the configuration, any files, including binary files, created in that folder will trigger print jobs. This explains the reports of unwanted printouts observed in some compromised environments.

-- Symantec security researchers

If you've been infected, unhook your printer for the moment while you run an anti-virus scan on your computer. Update it regularly and download any security patches or updates when they're available to keep your machine protected.