Delta Airline spammed trojan (Mar 5, 2009)


–Updated March 5, 2009—

SonicWALL UTM Research team saw two separate waves of Delta Arline spammed Trojan campaign with different attachment payloads between March 2, 2009 and March 5, 2009.

SonicWALL Gateway Antivirus provided proactive protection against these new waves via GAV: Delf.KD (Trojan) signature that was released on Feb 26, 2009. Total Signature hits recorded till now – 137,480 hits (Signature statistics image below)


–Original publish date: February 26, 2009—

SonicWALL UTM Research team observed a new spam campaign starting today, February 26, 2009 which involves a fake e-mail pretending to be arriving from Delta Airlines and containing passenger itinerary receipt. The email has a zip archived attachment which contains the new Trojan executable.

SonicWALL has received more than 1,000 e-mail copies of this malware so far. The e-mail message contains:

Attachment: (contains delta_RQ763.exe)


  • Confirmation of airline ticket purchase at

Email Body:
Thanks for the purchase!

Booking number: (random alpha-numeric string)

You will find attached to this letter PASSENGER ITINERARY RECEIPT of your electronic ticket. It verifies that you paid the ticket in full and confirms your right for air travel and luggage transportation by the indicated flight Delta Air Lines.

On board you will be offered: – beverages; – food; – daily press.

You are guaranteed top-quality services and attention on the part of our benevolent personnel.

We recommend you to print PASSENGER ITINERARY RECEIPT and take it alone to the airport. It will help you to pass control and registration procedures faster.

See you on board! Best regards,

Delta Air Lines

A sample of spammed e-mail message looks like this:


The executable file inside the zip attachment has an icon disguised as a Microsoft Excel file and it looks like following:


The Trojan when executed creates following files:

  • (SYSTEM-DIR)twain32local.ds
  • (SYSTEM-DIR)twain32user.ds
  • (SYSTEM-DIR)twain32user.ds.lll
  • (SYSTEM-DIR)twex.exe

It modifies the following Registry key to ensure that Trojan runs every time the system restarts:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32twex.exe,”

It also tries to connect and download a file from the following URL:

  • hxxp:// (<- Encrypted configuration data file)

The Trojan has very low detection at the time of writing this alert. It is also known as trojan W32/Trojan2.FXRO [F-Prot] and Trojan-Dropper.Delf [Ikarus].

SonicWALL Gateway Antivirus provides protection against this malware via GAV: Delf.KD (Trojan) signature.


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.