Hoots-A Worm Preys On Network Printers

Experts at SophosLabs, Sophos’s global network of virus, spyware and spam analysis centres, have discovered a worm that attempts to send a photograph of an owl to attached network printers.

The Hoots-A worm is written in Visual Basic and spreads via network shares. Once it has infected a computer it attempts to send a graphical image of an owl with the legend “O RLY?” to a number of predefined print queues. This owl image is commonly used on online message forums to indicate surprise and the phrase “O RLY?” is internet slang for “Oh really?”

“This isn’t the work of a professional virus writer. Most malware authors these days encrypt their executables with packers in an attempt to make them harder to detect – this one does not. It is also written in Visual Basic, which is unusual for a virus today. But the smoking gun is that the worm has hardcoded within it the specific network paths to almost 40 different printers,” said Graham Cluley, senior technology consultant for Sophos. “It appears this malware was written for a specific organisation, by someone who had inside knowledge of their IT infrastructure.”

“Why the author should want to print out pictures of this owl, of course, anybody’s guess,” continued Cluley.

Sophos has only received reports of the malware from one customer, and is working with the organisation to provide more information which may help identify the creator of the worm.

Sophos recommends companies put in place a consolidated solution to defend against viruses, spyware and spam, and ensure that it is automatically updated as new threats emerge.