2

i'm having serious problems with several HP Printers.

The issue is the following: my printer (different models) prints random ASCII character on the first line of a paper ( image sample: http://tinyurl.com/d2744sk ) and prints several papers ( 50+ )

And here another screenshot of the print queue: http://tinyurl.com/cvxeo6n the first 2 are the ascii "print".

The problem is presenting himself on different printer models (but only HP) and in different organization with some personal in common but no connection between the two. The building are miles away. I suspect some user spread the virus via USB keys.

I run a full system scan with several antivirus with no result. I'm updating printers firmware, if avaiable, as we speak.

Consider that:

- All models seems to be vulnerable: Laser and InkJet
- Antivirus can't find anything
- Driver and firmware are updated to the latest version
- The printer function properly but every 1 or 2 prints starts printing ascii character
- The client are Windows XP 32Bit and Windows 7 64Bit
- Printers are all in the same Subnet and VLAN there's direct connectivity from clients to printer with stable ping. I ruled out network issues

Some of printer models affected HP P2055dn, HP2015dn

My organization has 15+ Printers and 80+ Client i need a deployable solution if applicable.

What could i do?

Thank you in advance!

eldblz
  • 375
  • 2
  • 11
  • 21
  • Right now i'm in the process of upgrading all HP Firmware (newer is present at least for P2055dn) and disabling SNMP (while is not used in my organization for printers) Seems to mitigate the problem but not resolving it. – eldblz Jun 09 '12 at 16:17

4 Answers4

2

i've seen this exact problem when using the HP Universal Printer Driver. apparently, this is a known issue with it. the issue is caused by settings from different versions of the driver not being compatible.

for example:

  1. printerA from server1 is installed on client computers using HP universal version 5.3
  2. printerA is used by the clients
  3. some time later, printerB from server2 is installed on those same computers using HP universal version 5.4, upgrading the drivers for all and causing these clients to now use version 5.4 for printerA
  4. printerA now prints gibberish because the version 5.4 driver doesn't understand some settings that the 5.3 driver stored

in our case, even just upgrading the printer driver on a single server caused this problem, too. but the above scenario was how we discovered the problem to begin with.

solution:

make sure the HP Universal Print Driver used is consistent across the organization.

in my case, to clear up the lingering errors, i had to delete and re-create the printers on the print servers to eliminate the old settings that were causing problems. these settings then were pushed down to the clients, mostly eliminating the problem. a few problem children were fixed by deleting and re-adding the printers on those clients.

longneck
  • 22,793
  • 4
  • 50
  • 84
  • Thnaks for your reply. Printers are installed directed on the client (TCP/IP) port not shared by server. However driver are "consistent" every machine connected with a specific printer has the same driver. However i'll check for peace of mind. – eldblz Jun 09 '12 at 16:21
1

This isn’t a virus this is driver corruption.

  • Uninstall the printer.
  • Remove all traces of the driver
  • Reinstall the printer and the correct driver.
  • TEST.

This should resolve your issue.

Zapto
  • 1,824
  • 6
  • 23
  • 39
  • First of all thank for your reply. Is it possibile that different drivers on different machines (80+) corrupts in a blink of an eye all the sudden? I don't believe so. However reinstalling the drivers didn't resolve the issue (already tried). – eldblz Jun 08 '12 at 08:09
  • 2
    Windows update could have killed it. A virus defition in your Antivirus may have killed it. If you have 80+ machines why are you not using print queues? – Zapto Jun 08 '12 at 08:15
  • We're using network printers every office with 10 client has 1 printer and 1 multifunction copier (not affected by this problem). We use WSUS and we approved no update in the last week (the problem presented yesterday) in thoery microsoft use pacth tuesday policy. Our antivirus is Symantec Endpoint Protection consider printers are installed by more than 1 year. However thank you i'll look into it and i'll let you know. – eldblz Jun 08 '12 at 08:19
1

I'd say corrupt driver / spools due to update. But then I just read this on SANS:

There have been several reports now of PCs on the network printing what looks like an executable to a large number of printers. Several scanning tools will cause this kind of behaviour, but in the instances I know of these tools were not being used on the network at the time. The various AV products aren't great at picking this up, yet.

If you have this happen in your network use your logs to determine the sending machine (will be in the print logs) and take it offline for investigation and re-imaging. If you happen to have the actual malware upload it via the contact form and make our malware guys and gals happy.

Mark

Community
  • 1
charlesbridge
  • 817
  • 5
  • 14
  • Thanks for your reply. Monday i'll try to identify the machine (i already have a suspect) and i'll get back to you. – eldblz Jun 09 '12 at 16:19
1

So far I found these reports, in addition to the SANS ISC Diary post:

http://community.spiceworks.com/topic/232157-printer-prints-virus-string-until-out-of-paper?page=2

  • See post from "kinggeorge" on Jun 08, 2012 at 07:01 AM page 2: " ... Only on the Windows 7, we found a (hidden) scheduled task, that used rundll32.exe with a randomly generated dll-file in c:\windows\system32 ..."

https://community.mcafee.com/thread/45989?start=10&tstart=0

  • Post #14 from "mrussell77" on Jun 8, 2012 8:02 AM confirms registry keys reported in the SANS diary comments.
  • Post #15 from "scorpy" on Jun 8, 2012 7:58 AM mentions the scheduled task.
S. Yoder
  • 26
  • 1