Airline Ticket Spam

November 18, 2008

SonicWALL UTM Research team observed a new spam campaign starting on Thursday, November 13, 2008 which involves a fake e-mail pretending to be arriving from an Airline Company and containing Airline Ticket. The email has a zip archived attachment which contains the new Downloader Trojan.

The e-mail looks like following:

Attachment: (contains ticket.doc .exe)


  • Your flight ticket
  • Your ticket from Delta Airlines
  • Your ticket from Alaska Airlines
  • Your ticket from United Airlines
  • Your airplane ticket

Email Body:
Dear Holder

Thank you for using our new service "Buy flight ticket Online" on our website. Your account has been created:

Your login: your-email-address
Your password: random-string

Your credit card has been charged for $WXX.YY (where W=4 and X,Y = 0-9)
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
Airline Name (E.g. United, Alaska etc)

The executable file inside the zip attachment has an icon disguised as a Microsoft Word document and it looks like following:


The Trojan when executed performs following host level activity:

  • Creates a dirctory as C:Program FilesMicrosoft Common
  • Drops a copy of itself as C:Program FilesMicrosoft Commonwuauclt.exe
  • Deletes the original copy of the file
  • Creates multiple .sys files in SYSTEM32DRIVERS directory
  • Creates multiple .tmp files which later gets deleted

It creates the following Registry key for itself:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsexplorer.exeDebugger: "C:Program FilesMicrosoft Commonwuauclt.exe"

It also tries connect and download files from the following URLs:

  •[REMOVED]168650&n=1&uid=1 [Downloads msan1.exe - detected as GAV: Wigon.HE (Trojan)]
  •[REMOVED]75168650&n=1&uid=1 [connection failed]

The Trojan is also known as Trojan.Win32.Agent.amzt [Kaspersky], W32/Trojan3.JD [F-Prot], and TR/Dldr.iBill.BP [AntiVir]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.AMZT (Trojan) signature [8,344 hits recorded].