Northwest Airlines spam (Jan 12, 2009)


SonicWALL UTM Research team observed a new spam campaign starting on Monday, January 12, 2009 which involves a fake e-mail pretending to be arriving from Northwest Airlines and containing Airline Ticket. The email has a zip archived attachment which contains the new Trojan.

SonicWALL has received more than 2,000 e-mail copies of this malware so far. The e-mail looks like following:

Attachment: (contains NorthwestAirlines.exe) or (contains eTicket.exe)

From: Northwest Airlines (tickets at [Spoofed Email Address]


  • E-ticket #(10 digit random number)

Email Body:

Thank you for using our new service “Buy Northwest Airlines ticket Online” on our website.
Your account has been created:

Your login: (random email address)
Your password: passXXXX (where X = [0-9] OR [A-Z])

Your credit card has been charged for $4NN.NN. (N=0-9)
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the Northwest Airlines ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
Mel Michael
Northwest Airlines

The executable file inside the zip attachment has an icon disguised as a Microsoft Word document. The Trojan when executed performs following host level activity:

  • Creates a directory twain32 in the system folder and drops files user.ds.lll, user.ds, and local.ds in it.
  • Drops a copy of itself as SYSTEM32twex.exe

It modifies the following Registry key for itself:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “SYSTEM32userinit.exe,SYSTEM32twex.exe,”

It also tries to connect and download files from the following URLs:


The Trojan is also known as Win32/Spy.Zbot.DZ trojan [Eset], trojan W32/Trojan3.UW [F-Prot], and TR/Spy.ZBot.jzb [AntiVir]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Pakes.ARF (Trojan) signature [12,696 hits recorded].


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.