Questions

Random Junk Printing all over the network!

+
0 Votes
Locked

Random Junk Printing all over the network!

Okay, I'm part of a team that manages a network for a public school district. Starting last Friday afternoon, we began to see random printers on the network printing junk by the hundreds of pages. The only thing that stopped the job was the printer running out of paper.

Looking at printer logs, these jobs have no originator, date or time info. The only identifing piece of info (on the ones directly plugged in to the network) is they are printed from Port 9100. There are also several printers that are shared which are having the same issue.

We've been all over the Internet and found little information - other than the fact that this can happen. We need some help figuring out how to stop the printing! Disabling Port 9100 on the network printers does stop the attack, but there is no such option on the older printers that have been shared. The issue does not seem to discriminate as it has hit Dell, HP Inkjet, HP Laser, and Xerox Laser printers, both old and new. These devices are also in multiple sites/subnets.

Oh yeah.... the only readable text in the printouts is the first line which states "this program does not run in MS DOS.."
  • +
    0 Votes
    seanferd

    Could be a student doing a little hacking, or possibly some bit of malware that got into your network.

    I would be checking in whatever network logs there are to see where the job was initiated. Perhaps a tool like Wireshark or Angry IP scanner may be of use, as well as simply using tcpdump (while such an incident is occurring.) Right now, I think you're stuck with network logs.

    Perhaps those with more network experience could shine a light on this for you. Good luck.

    +
    0 Votes
    smallbiz-techwiz

    I'm not a big fan of sharing printers on desktop PC's. It's either open to everyone, or not at all. There's no way to effectively control access to it in this scenario. I think it's better to share only network printers that are controlled by a server. The server can then require authentication from users that want to use it's shared resources. You also have lots of flexibility with permissions and scheduling.

    +
    0 Votes

    I'm not a big fan of many of the ways we end up dealing with things in Public School Districts due to lack of funding or lack of setting priorities that include the importance of technology. Unforntuately, we have to make due with many old printers (some of those that have this issue do not have network cards) that must be shared just to provide printing capabilities that are needed. Funds for print servers and such things are few and far between.

    Thus, we end up dealing with these sorts of issues instead of planning for future improvements!

    +
    0 Votes
    Kenone

    A few things can cause it. Best guess would be someone trying to print from within a program (with its own printer drivers) and just randomly pointing at printers. Keep alert to "I can't print" complaints.
    On shared printers, especially old ones, you should be able to configure the port as an LPR. That reduces this behaviour.

    +
    0 Votes
    -Q-240248

    Probably someone who is infected with something. Try shutting down the machines and cleaning them, see if you cna narrow down the affected machine.

    +
    0 Votes

    Definately malicious. We have done quite a bit of checking for malicious code and such so far, but we have over 3000 computers in the district and only 3 technicians. Shutting them down really won't work. (Well, it may work for me - but not for teachers, staff and students). :0)

    +
    0 Votes
    shasca

    Few years back I had heard of a printer virus that caused this type of weirdness. See if the link below is any help.

    http://www.infoworld.com/articles/op/xml/00/04/10/000410oplivingston.html

    +
    0 Votes

    There is something here, we found a worm... W32/Mariofev.worm. Seems, this worm deposits a file "marioforever.exe" in shared folders, and if it runs, causes these random print jobs. This virus exploits file and print sharing in windows operating systems.

    We have not found any utility to actually stop this from happening. Malwarebytes will see it, and remove it, but will not protect it from being re-infected. Anyone dealt with this one before?

    +
    0 Votes
    Jacky Howe

    have you updated the definitions for it. In other words is it up to date.

    +
    0 Votes

    We are running Vexira and yup, everything appears to be up to date. I have found more information on the virus, but still not clear removal/protection against re-infection information. This one started in May, 2008 and there is more info here...

    http://en.securitylab.ru/viruses/352672.php

    +
    0 Votes
    Jacky Howe

    Do you allow Instant Messaging as it looks like this is how it is transmitted. If your Antivirus can't see it or remove it use the Malwarebytes and check the Registry settings in these links to make sure that it has been removed.
    <br><br>

    You will then have to run regular scans on the systems. I would consider useing a mainstream AV product if the problem can't be resolved after getting in touch with Vexira. Also do a search of the Students and Staff Home Directories for marioforever.exe and delete them. You will have to scan your Servers as well. Is it contained to the Curriculum network or is it on the Admin network. If it is on the Admin network I would start there first.
    <br><br>
    Have Vexira notify you when it finds a virus
    <br><br>
    http://support.vexira.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=29&nav=0,2
    <br><br>
    W32.Mariofev.A
    <br><br>
    http://www.symantec.com/security_response/writeup.jsp?docid=2008-050915-4639-99&tabid=3
    <br><br>

    W32.Mariofev.A
    <br><br>
    http://www.tongjimba.com/antivirus/howtoremove/howtoremove_342.html
    <br><br>
    Let us know how you get on.
    <br><br>

    +
    0 Votes

    I notified Vexira of the issue - they requested we send up the files involved so they could build something to iradicate...that took quite awhile, because it seems even both email systems and their own ftp servers were aware of the virus and wouldn't allow us to pass the files. I've gotta go back to school and learn more about hacking! :0)

    We are now doing regular scans on servers and workstations for the files, we remove them, they come back. We are doing some serious "sneaker net" processes to try to find the machines that are actually infected. It's amazing how such a large percentage of users can't even tell you where their files are saved, but they certainly can stumble across the marioforever.exe file and every time, their curiosty wins and they end up opening the file to "see what it is" sigh... This after serveral mass emails reminding users on safe computing practices - a one SPECIFIC email saying, please DO NOT open the marioforever.exe file if you see it...it is not a game. Sad - but job security I suppose.

    +
    0 Votes
    Jacky Howe

    If you want to try it manually.
    <br><br>
    From another PC download and install these two programs and copy the the installed folders to a USB Stick.
    <br><br>
    Restart the PC in Safe Mode and Disable System Restore (Windows Me/XP) run Sophos and then run Spybot.
    <br><br>
    Download Spybot - Search & Destroy 1.5.2 and install it. Update it. http://www.safer-networking.org/en/download/index.html
    <br><br>

    Download Sophos and the latest IDE Files. Install it and extract the IDE files to the C:\SAV32CLI folder.
    <br><br>
    http://www.sophos.com/support/knowledgebase/article/13251.html
    <br><br>
    Copy and paste the below two lines into Notepad and save the file to the USB Stick as sophos.bat, it will scan and remove. When the Scan has finished check the log file to see what it hasn't removed. You will normally find the answer to this via Google.
    <br><br>
    ===============================
    <br><br>
    CD SAV32CLI
    <br><br>
    SAV32CLI -REMOVE -P=C:\REMOVLOG.TXT
    <br><br>
    ===============================
    <br><br>
    The Sophos SAV32CLI folder can be safely deleted after it is copied to USB.


    <br><br>

    To find and stop the service SCNa
    <br><br>

    Click Start > Run.
    <br><br>
    Type services.msc, and then click OK.
    <br><br>
    Locate and select the service that was detected.
    <br><br>
    Click Action > Properties.
    <br><br>
    Click Stop.
    <br><br>
    Change Startup Type to Manual.
    <br><br>
    Click OK and close the Services window.
    <br><br>
    Restart the computer.
    <br><br>
    You will have to delete these files.
    <br><br>
    Once executed, the worm drops the following files:
    <br><br>
    %System%\[RANDOM NAME]
    <br><br>
    %System%\bmf.cs
    <br><br>
    %System%\ccs.so
    <br><br>
    %System%\gh.l
    <br><br>
    %System%\mn.n
    <br><br>
    %System%\ntpl.bin
    <br><br>
    %System%\nvrsma.dll
    <br><br>
    %System%\yl.po
    <br><br>


    It may also create:
    <br><br>
    %System%\acl.exe
    <br><br>
    %System%\MarioForever.exe
    <br><br>
    %DriveLetter%\MarioForever.exe
    <br><br>

    The worm then modifies the following files:
    <br><br>
    %System%\dllcache\user32.dll
    <br><br>
    %System%\user32.dll
    <br><br>

    Click Start > Run.
    <br><br>
    Type regedt32
    <br><br>
    Click OK.
    <br><br>
    Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
    <br><br>
    http://securityresponse.symantec.com/avcenter/venc/data/tool.to.reset.shellopencommand.registry.keys.html
    <br><br>
    Navigate to and delete the following registry entries:
    <br><br>

    HKEY_LOCAL_MACHINE\SOFTWARE\[NUMBER]\"[34 DIGIT HEX NUMBER]" = "[RANDOM DATA]"
    <br><br>
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"ztpInit_Dlls" = "nvrsma"
    <br><br>
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\"ccnt" = "[NUMBER OF INFECTION ATTEMPTS]"
    <br><br>
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\"mid" = "[RANDOM HEX DATA]"
    <br><br>


    Navigate to and delete the following registry subkey:
    <br><br>
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCNa
    <br><br>

    Exit the Registry Editor.
    <br><br>
    Note: If the risk creates or modifies registry subkeys or entries under HKEY_CURRENT_USER, it is possible that it created them for every user on the compromised computer. To ensure that all registry subkeys or entries are removed or restored, log on using each user account and check for any HKEY_CURRENT_USER items listed above.
    <br><br>

    Re-enable System Restore when the infection is cleaned up.
    <br><br>

    +
    0 Votes
    seanferd

    Take each PC of the network while cleaning it, and leave it off (or powered off) until each machine has been cleaned?

    Curious.

    +
    0 Votes
    Jacky Howe

    that the infected PC's would already have been isolated by pulling the plug on the Switch and confining it to the room. Then again I don't know the setup. The OP has already stated that users files are saved everywhere. It sounds like a mess to me. It also sounds like an acute lack of funding is involved.

    The Virus is looking for Shares so I hope that there is nothing shared on the Workstations. Then again that doesn't help the Shares on the File Server if the AV can't detect it. As I said its a mess.

    +
    0 Votes

    With over 3000 pcs and only three technicians, it could take up to a month using this method. I doubt the school district would be happy with that.

    My suspicion is we had this on the network, probably when it first came out in May, but it didn't actually get initiated until teachers and students came back last week. I've had several users tell me they double clicked the "marioforever.exe" file out of curiosity...(my users are so helpful) I have sent out several (please don't do that) emails, but I'm not convinced it has stopped. I have created a script file that constantly scans the servers in district for the marioforever.exe file (and deleting it), but finding the computers that are actually infected is a larger challenge.

    +
    0 Votes
    seanferd

    If it requires that user interaction, I don't suppose it will be re-infecting the other PCs, except with the original file. As long as you can keep folks from clicking on it...

    As I said, good luck. I hope you are successful in eliminating the malware.

  • +
    0 Votes
    seanferd

    Could be a student doing a little hacking, or possibly some bit of malware that got into your network.

    I would be checking in whatever network logs there are to see where the job was initiated. Perhaps a tool like Wireshark or Angry IP scanner may be of use, as well as simply using tcpdump (while such an incident is occurring.) Right now, I think you're stuck with network logs.

    Perhaps those with more network experience could shine a light on this for you. Good luck.

    +
    0 Votes
    smallbiz-techwiz

    I'm not a big fan of sharing printers on desktop PC's. It's either open to everyone, or not at all. There's no way to effectively control access to it in this scenario. I think it's better to share only network printers that are controlled by a server. The server can then require authentication from users that want to use it's shared resources. You also have lots of flexibility with permissions and scheduling.

    +
    0 Votes

    I'm not a big fan of many of the ways we end up dealing with things in Public School Districts due to lack of funding or lack of setting priorities that include the importance of technology. Unforntuately, we have to make due with many old printers (some of those that have this issue do not have network cards) that must be shared just to provide printing capabilities that are needed. Funds for print servers and such things are few and far between.

    Thus, we end up dealing with these sorts of issues instead of planning for future improvements!

    +
    0 Votes
    Kenone

    A few things can cause it. Best guess would be someone trying to print from within a program (with its own printer drivers) and just randomly pointing at printers. Keep alert to "I can't print" complaints.
    On shared printers, especially old ones, you should be able to configure the port as an LPR. That reduces this behaviour.

    +
    0 Votes
    -Q-240248

    Probably someone who is infected with something. Try shutting down the machines and cleaning them, see if you cna narrow down the affected machine.

    +
    0 Votes

    Definately malicious. We have done quite a bit of checking for malicious code and such so far, but we have over 3000 computers in the district and only 3 technicians. Shutting them down really won't work. (Well, it may work for me - but not for teachers, staff and students). :0)

    +
    0 Votes
    shasca

    Few years back I had heard of a printer virus that caused this type of weirdness. See if the link below is any help.

    http://www.infoworld.com/articles/op/xml/00/04/10/000410oplivingston.html

    +
    0 Votes

    There is something here, we found a worm... W32/Mariofev.worm. Seems, this worm deposits a file "marioforever.exe" in shared folders, and if it runs, causes these random print jobs. This virus exploits file and print sharing in windows operating systems.

    We have not found any utility to actually stop this from happening. Malwarebytes will see it, and remove it, but will not protect it from being re-infected. Anyone dealt with this one before?

    +
    0 Votes
    Jacky Howe

    have you updated the definitions for it. In other words is it up to date.

    +
    0 Votes

    We are running Vexira and yup, everything appears to be up to date. I have found more information on the virus, but still not clear removal/protection against re-infection information. This one started in May, 2008 and there is more info here...

    http://en.securitylab.ru/viruses/352672.php

    +
    0 Votes
    Jacky Howe

    Do you allow Instant Messaging as it looks like this is how it is transmitted. If your Antivirus can't see it or remove it use the Malwarebytes and check the Registry settings in these links to make sure that it has been removed.
    <br><br>

    You will then have to run regular scans on the systems. I would consider useing a mainstream AV product if the problem can't be resolved after getting in touch with Vexira. Also do a search of the Students and Staff Home Directories for marioforever.exe and delete them. You will have to scan your Servers as well. Is it contained to the Curriculum network or is it on the Admin network. If it is on the Admin network I would start there first.
    <br><br>
    Have Vexira notify you when it finds a virus
    <br><br>
    http://support.vexira.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=29&nav=0,2
    <br><br>
    W32.Mariofev.A
    <br><br>
    http://www.symantec.com/security_response/writeup.jsp?docid=2008-050915-4639-99&tabid=3
    <br><br>

    W32.Mariofev.A
    <br><br>
    http://www.tongjimba.com/antivirus/howtoremove/howtoremove_342.html
    <br><br>
    Let us know how you get on.
    <br><br>

    +
    0 Votes

    I notified Vexira of the issue - they requested we send up the files involved so they could build something to iradicate...that took quite awhile, because it seems even both email systems and their own ftp servers were aware of the virus and wouldn't allow us to pass the files. I've gotta go back to school and learn more about hacking! :0)

    We are now doing regular scans on servers and workstations for the files, we remove them, they come back. We are doing some serious "sneaker net" processes to try to find the machines that are actually infected. It's amazing how such a large percentage of users can't even tell you where their files are saved, but they certainly can stumble across the marioforever.exe file and every time, their curiosty wins and they end up opening the file to "see what it is" sigh... This after serveral mass emails reminding users on safe computing practices - a one SPECIFIC email saying, please DO NOT open the marioforever.exe file if you see it...it is not a game. Sad - but job security I suppose.

    +
    0 Votes
    Jacky Howe

    If you want to try it manually.
    <br><br>
    From another PC download and install these two programs and copy the the installed folders to a USB Stick.
    <br><br>
    Restart the PC in Safe Mode and Disable System Restore (Windows Me/XP) run Sophos and then run Spybot.
    <br><br>
    Download Spybot - Search & Destroy 1.5.2 and install it. Update it. http://www.safer-networking.org/en/download/index.html
    <br><br>

    Download Sophos and the latest IDE Files. Install it and extract the IDE files to the C:\SAV32CLI folder.
    <br><br>
    http://www.sophos.com/support/knowledgebase/article/13251.html
    <br><br>
    Copy and paste the below two lines into Notepad and save the file to the USB Stick as sophos.bat, it will scan and remove. When the Scan has finished check the log file to see what it hasn't removed. You will normally find the answer to this via Google.
    <br><br>
    ===============================
    <br><br>
    CD SAV32CLI
    <br><br>
    SAV32CLI -REMOVE -P=C:\REMOVLOG.TXT
    <br><br>
    ===============================
    <br><br>
    The Sophos SAV32CLI folder can be safely deleted after it is copied to USB.


    <br><br>

    To find and stop the service SCNa
    <br><br>

    Click Start > Run.
    <br><br>
    Type services.msc, and then click OK.
    <br><br>
    Locate and select the service that was detected.
    <br><br>
    Click Action > Properties.
    <br><br>
    Click Stop.
    <br><br>
    Change Startup Type to Manual.
    <br><br>
    Click OK and close the Services window.
    <br><br>
    Restart the computer.
    <br><br>
    You will have to delete these files.
    <br><br>
    Once executed, the worm drops the following files:
    <br><br>
    %System%\[RANDOM NAME]
    <br><br>
    %System%\bmf.cs
    <br><br>
    %System%\ccs.so
    <br><br>
    %System%\gh.l
    <br><br>
    %System%\mn.n
    <br><br>
    %System%\ntpl.bin
    <br><br>
    %System%\nvrsma.dll
    <br><br>
    %System%\yl.po
    <br><br>


    It may also create:
    <br><br>
    %System%\acl.exe
    <br><br>
    %System%\MarioForever.exe
    <br><br>
    %DriveLetter%\MarioForever.exe
    <br><br>

    The worm then modifies the following files:
    <br><br>
    %System%\dllcache\user32.dll
    <br><br>
    %System%\user32.dll
    <br><br>

    Click Start > Run.
    <br><br>
    Type regedt32
    <br><br>
    Click OK.
    <br><br>
    Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
    <br><br>
    http://securityresponse.symantec.com/avcenter/venc/data/tool.to.reset.shellopencommand.registry.keys.html
    <br><br>
    Navigate to and delete the following registry entries:
    <br><br>

    HKEY_LOCAL_MACHINE\SOFTWARE\[NUMBER]\"[34 DIGIT HEX NUMBER]" = "[RANDOM DATA]"
    <br><br>
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"ztpInit_Dlls" = "nvrsma"
    <br><br>
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\"ccnt" = "[NUMBER OF INFECTION ATTEMPTS]"
    <br><br>
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\"mid" = "[RANDOM HEX DATA]"
    <br><br>


    Navigate to and delete the following registry subkey:
    <br><br>
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCNa
    <br><br>

    Exit the Registry Editor.
    <br><br>
    Note: If the risk creates or modifies registry subkeys or entries under HKEY_CURRENT_USER, it is possible that it created them for every user on the compromised computer. To ensure that all registry subkeys or entries are removed or restored, log on using each user account and check for any HKEY_CURRENT_USER items listed above.
    <br><br>

    Re-enable System Restore when the infection is cleaned up.
    <br><br>

    +
    0 Votes
    seanferd

    Take each PC of the network while cleaning it, and leave it off (or powered off) until each machine has been cleaned?

    Curious.

    +
    0 Votes
    Jacky Howe

    that the infected PC's would already have been isolated by pulling the plug on the Switch and confining it to the room. Then again I don't know the setup. The OP has already stated that users files are saved everywhere. It sounds like a mess to me. It also sounds like an acute lack of funding is involved.

    The Virus is looking for Shares so I hope that there is nothing shared on the Workstations. Then again that doesn't help the Shares on the File Server if the AV can't detect it. As I said its a mess.

    +
    0 Votes

    With over 3000 pcs and only three technicians, it could take up to a month using this method. I doubt the school district would be happy with that.

    My suspicion is we had this on the network, probably when it first came out in May, but it didn't actually get initiated until teachers and students came back last week. I've had several users tell me they double clicked the "marioforever.exe" file out of curiosity...(my users are so helpful) I have sent out several (please don't do that) emails, but I'm not convinced it has stopped. I have created a script file that constantly scans the servers in district for the marioforever.exe file (and deleting it), but finding the computers that are actually infected is a larger challenge.

    +
    0 Votes
    seanferd

    If it requires that user interaction, I don't suppose it will be re-infecting the other PCs, except with the original file. As long as you can keep folks from clicking on it...

    As I said, good luck. I hope you are successful in eliminating the malware.