Airline Ticket Spam (Nov 14, 2008)
SonicWALL UTM Research team observed a new spam campaign starting on Thursday, November 13, 2008 which involves a fake e-mail pretending to be arriving from an Airline Company and containing Airline Ticket. The email has a zip archived attachment which contains the new Downloader Trojan.
The e-mail looks like following:
Attachment: ticket.zip (contains ticket.doc .exe)
Subject:
- Your flight ticket
- Your ticket from Delta Airlines
- Your ticket from Alaska Airlines
- Your ticket from United Airlines
- Your airplane ticket
Email Body:
————————
Dear Holder
Thank you for using our new service “Buy flight ticket Online” on our website. Your account has been created:
Your login: your-email-address
Your password: random-string
Your credit card has been charged for $WXX.YY (where W=4 and X,Y = 0-9)
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!
Kind regards,
Airline Name (E.g. United, Alaska etc)
————————
The executable file inside the zip attachment has an icon disguised as a Microsoft Word document and it looks like following:
The Trojan when executed performs following host level activity:
- Creates a dirctory as C:Program FilesMicrosoft Common
- Drops a copy of itself as C:Program FilesMicrosoft Commonwuauclt.exe
- Deletes the original copy of the file
- Creates multiple .sys files in SYSTEM32DRIVERS directory
- Creates multiple .tmp files which later gets deleted
It creates the following Registry key for itself:
- HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsexplorer.exeDebugger: “C:Program FilesMicrosoft Commonwuauclt.exe”
It also tries connect and download files from the following URLs:
- furely.ru/load2/ld.php?v=[REMOVED]168650&n=1&uid=1 [Downloads msan1.exe – detected as GAV: Wigon.HE (Trojan)]
- kexlup.ru/loadx/ld.php?v=[REMOVED]75168650&n=1&uid=1 [connection failed]
The Trojan is also known as Trojan.Win32.Agent.amzt [Kaspersky], W32/Trojan3.JD [F-Prot], and TR/Dldr.iBill.BP [AntiVir]
SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.AMZT (Trojan) signature [8,344 hits recorded].