navigation bar left navigation bar right

Secunia CSI7
navigation left tab Advisories navigation right tab
navigation left tab Research navigation right tab
navigation left tab Forums navigation right tab
navigation left tab Create Profile navigation right tab
navigation left tab Our Commitment navigation right tab
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: can a trojan be placed in a Printer program?

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Open Discussions

This thread has been marked as locked.
taffy078 can a trojan be placed in a Printer program?
Contributor 25th Sep, 2012 07:56
Ranking: 408
Posts: 1,352
User Since: 26th Feb, 2009
System Score: 100%
Location: UK
As you'll gather from the heading, I haven't got a clue about the nitty gritty of trojans, other than they are a pain in the a**e, just like the sick people who put them there.

I have an HP Deskjet F2280 - it's adequate for my needs and works well and cost-effectively.

The main software is the HP Solution Centre. This was updated/revamped recently, since when I've experienced a few problems so I've posted on the HP Forum.

One of the problems was that Malwarebytes found Trojan.Spatet in the HP file and registry (results below). It was the first time since the update that I ran Malwarebytes. It might just be a co-incidence or perhaps even a false positive.

I need to ask about this on the Malwarebytes forum but before I do, can our resident experts spare my blushes there and tell me if it is likely, or even possible, for someone to get into my PC and plant a trojan in a Vendor's software? I'm confident that my anti-virus/firewall will stop this which is why I wonder of it was already in the software, or is a False Positive.

in the file: C:\Program Files\HP\Digital Imaging\help\player\FlashPla.exe
in the Registry Value:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Sha redDLLs|C:\Program Files\HP\Digital Imaging\help\player\FlashPla.exe

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003

Maurice Joyce RE: can a trojan be placed in a Printer program?
Handling Contributor 25th Sep, 2012 09:59
Score: 11865
Posts: 9,101
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Although by no stretch of the imagination am I an expert the answer is yes being as the software is on your PC.

I think U will find the HP solution Centre is a standalone programme in Control Panel>add/remove? If so just uninstall it if U do not use/want it.

I would contact Malwarebytes support - http://www.malwarebytes.org/contact_consumer/

Better if U insert your order number as it gives U priority support. They will investigate if it is a false positive. I assume it has put the offending items in quarantine?



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
taffy078 RE: can a trojan be placed in a Printer program?
Contributor 25th Sep, 2012 10:52
Score: 408
Posts: 1,352
User Since: 26th Feb 2009
System Score: 100%
Location: UK
thanks Maurice.

I think that the Solution Centre is the only way to change settings when scanning to file e.g. whethere to save as jpg or tif etc and also for other scan/copy tasks. So at the moment it looks like I need it. I'll check though.

I'll contact Malwarebytes as you suggest though I've no order number - I use the free version. Yes - it has put it in quarantine.

I'll come back with the outcome.

In closing, I've just had a thought. Perhaps the timing is a coincidence. This blasted trojan may have slipped through because of the recent Internet Explorer security problems.

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
Maurice Joyce RE: can a trojan be placed in a Printer program?
Handling Contributor 25th Sep, 2012 10:56
Score: 11865
Posts: 9,101
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Highly unlikely - looks like a false positive to me. I have reported a few to them & they have always been happy to test & adjust their database if necessary.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
Anthony Wells RE: can a trojan be placed in a Printer program?
Expert Contributor 25th Sep, 2012 16:15
Score: 2463
Posts: 3,348
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 25th Sep, 2012 16:19
Hi taffy ,

The Trojan Spatet has many versions shown by letter ; here is what Eset say about (an early) version A :-

http://go.eset.com/us/threat-center/encyclopedia/t...

As you can see it is a nasty piece of work and to be treated with real care .

Bear in mind that no A/V or A/S is 100% (however much faith you may have in it - that's why you have MBAM as well) and may not detect the Trojan until it tries to run ; as it contains a backdoor it is doubly dangerous . Such a Trojan could get in your printer software through an infected file and might initially be difficult to detect as such .

I would not know if it is a False Positive or not , nothing indicates whether it is one way or the other , as Maurice has said , only MBAM can confirm that (one way or another) .

Whilst waiting you can always run the MBAM .qua file past VirusTotal or Jotti .
.

EDIT : Here is the MBAM Forum page for reporting FP's :-

http://forums.malwarebytes.org/index.php?s=677e344...

Let us know your progress

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
taffy078 RE: can a trojan be placed in a Printer program?
Contributor 25th Sep, 2012 18:07
Score: 408
Posts: 1,352
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Thanks Anthony. I'm waiting for the results from Virus Total but am having problems with Jotti.
I found this address (http://virusscan.jotti.org/en-gb), browsed for the MWB report but the "submit file" box is greyed out.

Am I missing something obvious?

PS Which file should I submit? The infected file is now in quarantine.

PPS Virus Total found nothing but there again it was the MWB report that I submitted!!

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
taffy078 RE: can a trojan be placed in a Printer program?
Contributor 25th Sep, 2012 18:13
Score: 408
Posts: 1,352
User Since: 26th Feb 2009
System Score: 100%
Location: UK
OMG!!!!!!!!

I've just remembered the below email from NVIDIA a few months ago. Could this be the cause?
PS I haven't had their update email/new password yet.

Recent Attacks on NVIDIA Forums 13th July 2012
Dear NVIDIA Forum User,
We suspended operations of the NVIDIA Forums last week in response to suspicious activity and immediately began an investigation. We apologize that our continuing investigation is taking this long. Know that we are working around the clock to ensure that secure operations can be restored.
Our investigation has identified that unauthorized third parties gained access to some user information, including:

• username
• email address
• hashed passwords with random salt value
• public-facing “About Me” profile information
NVIDIA did not store any passwords in clear text. “About Me” optional profiles could include a user’s title, age, birthdate, gender, location, interests, email and website URL – all of which was already publicly accessible.
NVIDIA is continuing to investigate this matter and is working to restore the Forums as soon as possible. We are employing additional security measures to minimize the impact of future attacks.
All user passwords for our Forums will be reset when the system comes back online. At that time, an email with a temporary password, along with instructions on how to change it, will be sent to your registered email address.
As a precautionary measure, we strongly recommend that you change any identical passwords that you may be using elsewhere.
NVIDIA does not request sensitive information by email. Do not provide personal, financial or sensitive information (including new passwords) in response to any email purporting to be sent by an NVIDIA employee or representative.
Check back on the NVIDIA Forums for updates.


--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
taffy078 RE: can a trojan be placed in a Printer program?
Contributor 25th Sep, 2012 18:16
Score: 408
Posts: 1,352
User Since: 26th Feb 2009
System Score: 100%
Location: UK
The reason NVIDIA hasn't emailed me my new password yet is that they're still sorting it out:

http://www.nvidia.com/content/forums/index.html

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
Anthony Wells RE: can a trojan be placed in a Printer program?
Expert Contributor 25th Sep, 2012 22:46
Score: 2463
Posts: 3,348
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi taffy ,

Not sure what MWB report you are referring to but the quarantined file (.qua usually) is "usually" found by browsing to :-

C:\Docs & Settings\Your Name\AppData(a hidden folder/file)\Malwarebytes\Mawarebytes' Anti-Malware\Quarantine .

The Jotti page is fine for me ; after you browse and select a file the greyed out "Submit" link works (fine :).

The Nvidia problem sounds like it is their database rather than something on your machine . Never had the email myself but I am not registered on thier Forum .

Retry VirusTotal and Jotti with the .qua file .

Anthony


--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
taffy078 RE: can a trojan be placed in a Printer program?
Contributor 26th Sep, 2012 07:54
Score: 408
Posts: 1,352
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Hi, Anthony. I've realised my mistake. The file that I sent to Virus Total was in fact MWB's scan report, not the quarantined file.
Thanks to your help, I found the (hidden) .quar file. Virus Total scored it '0' which I assumes means it's clear, so pointing perhaps to a False Positive.

I tried Jotti again - I browsed, found the infected file and clicked on 'open'. The folder path appeared but the grey window with 'submit file' in whiite remained dead. When I hovered the cursor over it, the cursor changed from the arrow to a perpendicular line.

I took NVidia's email as a warning that their forum may have been compromised enabling the bstds who did it to access members PCs, which is why I wondered if that was the source of my problem. But I've just this second had an awful thought. Last week, I was asked to sign up to Facebook to help resolve a problem for a local sports club. I copied a photo from there, pasted it in Word and then tried to print it. My printer took ages and in the end I had to abort the print.

The photo was of a group of the club's members. I'm now wondering if the person who posted that photo had an infected PC, could the trojan have been 'inside' the photo?



--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
Maurice Joyce RE: can a trojan be placed in a Printer program?
Handling Contributor 26th Sep, 2012 10:11
Score: 11865
Posts: 9,101
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Taffy,
Are you still running Norton Internet Security?

This Trojan has been around a very long time, is low level & is easily removed.

He are the details:
Background
http://www.symantec.com/security_response/writeup....

Technical Details

http://www.symantec.com/security_response/writeup....

Removal Details.

http://www.symantec.com/security_response/writeup....

I would not link the NVIDIA incident to the Malwarebytes find. Provided all your passwords are different or were changed on the 12th July that should be good enough to kill that one off.

If really concerned run a full viral scan & then just sit back & wait for Malwarebytes to respond if the scan is negative.

If you cannot wait for that you can run HiJack This -

http://fs34.filehippo.com/5339/4e88bde118e14f16be4...

Once you run the scan send the file to me by email & I will look at it for you.

I am assuming this is the alleged offending file - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Sha redDLLs|C:\Program Files\HP\Digital Imaging\help\player\FlashPla.exe


--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
taffy078 RE: can a trojan be placed in a Printer program?
Contributor 26th Sep, 2012 14:01
Score: 408
Posts: 1,352
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Thank you Maurice, Anthony. It seems that the cuase of this entire blasted episode was some problem with Malwarebytes.

The following thread isn't mine but the young lady who posted it summed up the frustrations very nicely!

http://forums.malwarebytes.org/index.php?showtopic...

I am sorry for having wasted your time but I've learnt a lot during this short time. I hope that other members have too! :0)



--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
Maurice Joyce RE: can a trojan be placed in a Printer program?
Handling Contributor 26th Sep, 2012 16:20
Score: 11865
Posts: 9,101
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Pleased it is all sorted for you.

How are U getting on with this thread?

https://secunia.com/community/forum/thread/show/13...

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
Anthony Wells RE: can a trojan be placed in a Printer program?
Expert Contributor 26th Sep, 2012 21:57
Score: 2463
Posts: 3,348
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi taffy ,

Good news it seems , although the poster is not specific about the Trojan FP's name , it sounds like yours

If I were you , I would return the quarantined file(s) to your system and then browse to them , right click and in the pop-up menu you should see your security programmes and you can scan that/those files individually and thus quickly . I suggest this as those files may be important to and/or a part of your printer problems .

In addition , as MBAM found a problem in the last scan , it is always advisable to (re)run a full scan untill it shows as clean .

As far as your exploits with the Facebook 'photo , that is certainly a possible way to infect your PC . The Trojan Maurice has pointed to at Symantec is an early version and easy for your NIS to deal with which is not to say that there are not more recent versions being updated , say for Facebook . Koobface , for example , is constantly being modified .

You were very wise to take all the precautions and measures you did .

Let us know if an MBAM scan has now cleared the detection problem

Jotti's greyed ou link works fine for me when i left click .

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Maurice Joyce RE: can a trojan be placed in a Printer program?
Handling Contributor 26th Sep, 2012 22:49
Score: 11865
Posts: 9,101
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 26th Sep, 2012 22:50
Anthony,
Done & dusted. I think Taffy perhaps has posted the wrong link.

http://forums.malwarebytes.org/index.php?showtopic...


--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
Anthony Wells RE: can a trojan be placed in a Printer program?
Expert Contributor 26th Sep, 2012 23:05
Score: 2463
Posts: 3,348
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Thanks Maurice . Loaded and locked :)

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
taffy078 RE: can a trojan be placed in a Printer program?
Contributor 27th Sep, 2012 11:06
Score: 408
Posts: 1,352
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Hi Maurice. No mistake with that link. Rather than show you my thread, I wanted to show you another MWB-AM user's thread, as this confirms that MWB was having a problem.

Thanks again.


PS just responded to https://secunia.com/community/forum/thread/show/13...

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
Maurice Joyce RE: can a trojan be placed in a Printer program?
Handling Contributor 27th Sep, 2012 12:54
Score: 11865
Posts: 9,101
User Since: 4th Jan 2009
System Score: N/A
Location: UK
I do not think it is a Malwarebyte "problem" - more a daily routine. Any good and dedicated scanner will create the odd false positive/are missing data from their database/have corrupt links.

I use Malwarebytes Pro & the programme has no problems running & in my case has produced no false positives for a very long time.

As previously stated I have reported numerous to Malwarebytes & Secunia. Both have corrected them or explained why they are not prepared to do so in a timely manner.

Cyberworld at its best!

Hope you are not near the floods?



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
taffy078 RE: can a trojan be placed in a Printer program?
Contributor 27th Sep, 2012 15:00
Score: 408
Posts: 1,352
User Since: 26th Feb 2009
System Score: 100%
Location: UK
thank you. Maurice. No - the floods have missed us, thank goodness. Yesterday we had four inches of rain during the day so what fell into the local rivers will have caused propblems lower down.

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+