Airline Ticket Spam

November 18, 2008

SonicWALL UTM Research team observed a new spam campaign starting on Thursday, November 13, 2008 which involves a fake e-mail pretending to be arriving from an Airline Company and containing Airline Ticket. The email has a zip archived attachment which contains the new Downloader Trojan.

The e-mail looks like following:

Attachment: ticket.zip (contains ticket.doc .exe)

Subject:

  • Your flight ticket
  • Your ticket from Delta Airlines
  • Your ticket from Alaska Airlines
  • Your ticket from United Airlines
  • Your airplane ticket

Email Body:
------------------------
Dear Holder

Thank you for using our new service "Buy flight ticket Online" on our website. Your account has been created:

Your login: your-email-address
Your password: random-string

Your credit card has been charged for $WXX.YY (where W=4 and X,Y = 0-9)
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
Airline Name (E.g. United, Alaska etc)
------------------------

The executable file inside the zip attachment has an icon disguised as a Microsoft Word document and it looks like following:

screenshot

The Trojan when executed performs following host level activity:

  • Creates a dirctory as C:Program FilesMicrosoft Common
  • Drops a copy of itself as C:Program FilesMicrosoft Commonwuauclt.exe
  • Deletes the original copy of the file
  • Creates multiple .sys files in SYSTEM32DRIVERS directory
  • Creates multiple .tmp files which later gets deleted

It creates the following Registry key for itself:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsexplorer.exeDebugger: "C:Program FilesMicrosoft Commonwuauclt.exe"

It also tries connect and download files from the following URLs:

  • furely.ru/load2/ld.php?v=[REMOVED]168650&n=1&uid=1 [Downloads msan1.exe - detected as GAV: Wigon.HE (Trojan)]
  • kexlup.ru/loadx/ld.php?v=[REMOVED]75168650&n=1&uid=1 [connection failed]

The Trojan is also known as Trojan.Win32.Agent.amzt [Kaspersky], W32/Trojan3.JD [F-Prot], and TR/Dldr.iBill.BP [AntiVir]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.AMZT (Trojan) signature [8,344 hits recorded].