SonicWALL UTM Research Team has observed multiple Trojan spam runs in last one week starting August 27, 2008 which included the Labor day weekend. Common part among all the spam was the Trojan arrives via email in a zipped archive attachment.
Summary:
Western Union MTCN spam
Online Flight Ticket spam
Airmail Express delivery failure spam
Fedex Tracking number spam
Western Union MTCN spam
This spam wave started on August 27, 2008 and continued for 2 days. The e-mail contains a fake message about your Western Union money transfer transaction being halted or bounced. The e-mails look like following:
Attachment:
- RN67761263.zip (contains file RN67761263.exe)
- In776162.zip (contains file In776162.exe)
Subjects: Western Union MTCN #<10 digit Number>
Message Body:
——————
Hello!
Attention! The wire sent to Maksim Zverev, Moscow, Russia has been blocked by our security service.
Your credit card issuing bank has halted the transaction by the demand of the Federal Criminal Investigation Service (case No. <5 digit number> since the recipient has been undergoing the international retrieval by the InterPol.
Please contact the closest Western Union office and make sure you have your ID card, the credit card that was used for making the payment, and the invoice file with you.
(The invoice file is attached to this message; please print it out and hand it to our agent.)
You can find the address of the closest Western Union agent on our website at http://www.westernunion.com
Thank you!
——————
SonicWALL detection for these Trojans:
- GAV: Zbot.EJX (Trojan) [Hits recorded: 851]
- GAV: ZBot.EJW (Trojan) [Hits recorded: 4,210]
Online Flight Ticket spam
The first wave of this spam was seen on August 28, 2008 which lasted just 1 day. Another wave of this spam campaign with different attachment name started on Labor day and continued until September 2, 2008. The e-mail pretends to be containing an online flight ticket invoice. The e-mails look like following:
Attachment:
- eTicket_N832.zip (contains file eTicket_N832.exe)
- e-Ticket_S737.zip (contains file e-Ticket_S737.exe)
Subjects: Your Online Flight Ticket N <5 digit number>
Message Body:
——————
Dear customers, Thank you for using our new service “Buy airplane ticket Online” on our website. Your account has been created:
Your login: Your password: pass<4 random characters>
Your credit card has been charged for $6XX.XX. [where X can be 0-9] We would like to remind you that whenever you order tickets on our website you get a discount of 10%! Attached to this message is the purchase Invoice and the flight ticket. To use your ticket, simply print it on a color printed, and you are set to take off for the journey!
Kind regards, Virgin America
——————
SonicWALL detection for these Trojans:
- GAV: AutoRun.WK (Worm) [Hits recorded: 7,892]
- GAV: Emold.A_2 (Trojan) [Hits recorded: 107,996]
Airmail Express delivery failure spam
The first wave of this spam was seen on August 28, 2008 which lasted for 2 days. Another wave of this spam campaign with different attachment name started on Labor day and continued until September 3, 2008. The e-mail contains a fake message about not being able to deliver the postal package you sent and it asks you to take a print out of attached copy of invoice. The e-mails look like following:
Attachment:
- AIRMAIL#7661224.zip (contains file AIRMAIL#7661224.exe)
- AIRMAIL_76612.zip (contains file AIRMAIL_76612.exe)
- #876712.zip (contains file #876712.exe)
- 5322412.zip (contains file 5322412.exe)
Subjects:
- AIRMAIL EXPRESS $_ < random number >
- Airmail Tracking number #<7 digit random number>
Message Body:
——————
Unfortunately we were not able to deliver postal package you sent on August the 1st in time because the recipients address is not correct. Please print out the invoice copy attached and collect the package at our office
AIRMAIL EXPRESS
——————
SonicWALL detection for these Trojans:
- GAV: Zbot.AIR (Trojan) [Hits recorded: 198,947]
- GAV: Zbot.EKQ (Trojan) [Hits recorded: 38]
- GAV: Zbot.EMQ (Trojan) [Hits recorded: 266]
- GAV: Zbot.EOD (Trojan) [Hits recorded: 4068]
- GAV: Zbot.ENM (Trojan) [Hits recorded: 34,337]
Fedex Tracking number spam
This spam started on Labor day and continued until September 2, 2008. The e-mail contains a fake message about not being able to deliver the postal package you sent and it asks you to take a print out of attached copy of invoice. The e-mails look like following:
Attachment: TR87190-18721.doc.zip (contains file TR87190-18721.doc.exe)
Subjects: Tracking N <10 digit random number>
Message Body:
——————
Unfortunately we were not able to deliver postal package you sent on July the 25 in time because the recipients address is not correct. Please print out the invoice copy attached and collect the package at our office.
Your FEDEX www.fedex.com
——————
SonicWALL detection for these Trojans: GAV: Agent.ACCI (Trojan) [Hits recorded: 895]