Malware Wastes Paper, Triggers Printing and Ads

We received several escalations earlier this month about some users experiencing a number of print jobs being sent to printers and print servers. This caused delays on deliveries because each printer is printing an average of about 300 pages. But what is it printing?

The pages being printed, like the one below, are actually lines of code that we believe to be of another malware intended to be installed on the target machine. The machines executing the printing routine were found infected with either TROJ_AGENT.BCPC or TROJ_PONMOCOP variants.

We noticed that randomly-named binaries were seen in the following locations of the infected system:

TROJ_AGENT.BCPC

  • %System%\{random 10 letters}.exe
  • %System%\SPOOL\PRINTERS\FP{5 digit numbers}.SPL – This file is what we believe caused the printouts.
  • %System%\SPOOL\PRINTERS\{random file}.tmp

TROJ_PONMOCOP variants

  • %System%\{random file}.dll
  • Users\{user name}\Appdata\Roaming\{random file}.dll
  • Documents and Settings\{user name}\Application Data\{random file}.dll
  • Program Files\{random folder}\{random file}.dll
  • %Windows%\SysWOW64\{random file}.dll

Where is it coming from?

Based on the analysis done, we’ve identified two entry points used by the malware. We’ve seen malware related to this attack being downloaded as a .zip file. The downloads are from certain forums possibly hosting other malicious files:

We’ve also this malware to enter as a downloaded file by clicking on certain Google search results:

Notable routines

Systems affected with TROJ_AGENT.BCPC connect to http://storage5.static.{BLOCKED}s.ru/i/12/0601/h_1338571059_9957469_b48b167953.jpeg, where it downloads ADW_EOREZO. Users might experience incessant pop-up ads due to the presence of the said adware on the system. Ads displayed are from http://ads.{BLOCKED}1.com/cgi-bin/advert/getads?did=1077.

In addition, the presence of TROJ_PONMOCOP makes the attack difficult to analyze. TROJ_PONMOCOP code contains an encrypted portion which is loaded and decrypted into memory. When decrypted, it becomes a new binary file that is UPX-packed, and will take over the routines from then on.

This new binary also contains encrypted code, which requires decryption keys from parameters found in the infected system i.e. ftCreationTime & ftLastAccessTime of %Windows%\system32 and System Volume Information folder, as well as the serial number of the hard drive in order to decrypt itself.

If the decrypted code is a valid binary file, it again transfers the control to this newly-created binary. If not, then the routine of the malware will not proceed. This simply means that the binary may be unique for each of infected system. Note that all these steps are done in memory, which means there are no dropped files.

Then, the following registry keys are being checked by the malware to decrypt additional binaries in memory. These registry keys are dependent on the infected machine’s processor/operating system:

32-bit systems:

  • HKLM\Software\{random}
  • HKCU\Software\{random}

64-bit systems:

  • HKLM\Software\Wow6432Node\{random}
  • HKCU\Software\Wow6432Node\{random}

These registry entries contain encrypted data, which are then decrypted into three binary files. The first binary file has a capability to monitor and disable the services named “wscsvc”, “WinDefend”, and “MsMpSvc”. It also deletes the following registry entries related to security applications:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run “Windows Defender”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run “msse”

The second binary file has a routine that posts information about “Http Status”, “Time slots”, and “Statistics” to a remote server. Details of the information and where these are being sent to are being investigated. The said binary file also checks for the following additional registry entries:

  • HKLM\software\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKCU\software\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKLM\software\Microsoft\Multimedia
  • HKCU\software\Microsoft\Multimedia
  • HKLM\System\CurrentControlSet

Once it finds these entries, the second binary decrypts the data contained from one of the values. The decrypted data contains numerical values and URLs which the malware may either try to hijack or visit.

Additionally, the following new registry entries are created by the second binary which contains additional encrypted data:

  • HKCU\Software\Microsoft\Internet Explorer\LowRegistry\Stats\{random}
  • HKCU\Software\Microsoft\Internet Explorer\LowRegistry\Stats\{random}\{random}

The routines of the last binary file is still under investigation.

Trend Micro Protection

Trend Micro users are protected in two ways. All of the files listed above are already detected as malicious. In addition, we also block all the URLs involved to prevent any new variants from being downloaded onto user systems. This combination provides better protection for users than a conventional response focusing on either the malicious files or sites in isolation.

Note that we are continuously investigating this attack. We will update this entry as more pieces of this “printer virus” become clearer.

With additional analysis from Lenart Bermejo, Brian Cayanan, and Allan Sepillo

Post from: TrendLabs | Malware Blog – by Trend Micro

Malware Wastes Paper, Triggers Printing and Ads

Read more: Malware Wastes Paper, Triggers Printing and Ads

Story added 3. July 2012, content source with full text you can find at link above.