Airline Ticket Spam
SonicWALL UTM Research team observed a new spam campaign starting on Thursday, November 13, 2008 which involves a fake e-mail pretending to be arriving from an Airline Company and containing Airline Ticket. The email has a zip archived attachment which contains the new Downloader Trojan.
The e-mail looks like following:
Attachment: ticket.zip (contains ticket.doc .exe)
- Your flight ticket
- Your ticket from Delta Airlines
- Your ticket from Alaska Airlines
- Your ticket from United Airlines
- Your airplane ticket
Thank you for using our new service "Buy flight ticket Online" on our website. Your account has been created:
Your login: your-email-address
Your password: random-string
Your credit card has been charged for $WXX.YY (where W=4 and X,Y = 0-9)
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!
Airline Name (E.g. United, Alaska etc)
The executable file inside the zip attachment has an icon disguised as a Microsoft Word document and it looks like following:
The Trojan when executed performs following host level activity:
- Creates a dirctory as C:Program FilesMicrosoft Common
- Drops a copy of itself as C:Program FilesMicrosoft Commonwuauclt.exe
- Deletes the original copy of the file
- Creates multiple .sys files in SYSTEM32DRIVERS directory
- Creates multiple .tmp files which later gets deleted
It creates the following Registry key for itself:
- HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsexplorer.exeDebugger: "C:Program FilesMicrosoft Commonwuauclt.exe"
It also tries connect and download files from the following URLs:
- furely.ru/load2/ld.php?v=[REMOVED]168650&n=1&uid=1 [Downloads msan1.exe - detected as GAV: Wigon.HE (Trojan)]
- kexlup.ru/loadx/ld.php?v=[REMOVED]75168650&n=1&uid=1 [connection failed]
The Trojan is also known as Trojan.Win32.Agent.amzt [Kaspersky], W32/Trojan3.JD [F-Prot], and TR/Dldr.iBill.BP [AntiVir]
SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.AMZT (Trojan) signature [8,344 hits recorded].