Delta Airline spammed trojan

March 6, 2009

--Updated March 5, 2009---

SonicWALL UTM Research team saw two separate waves of Delta Arline spammed Trojan campaign with different attachment payloads between March 2, 2009 and March 5, 2009.

SonicWALL Gateway Antivirus provided proactive protection against these new waves via GAV: Delf.KD (Trojan) signature that was released on Feb 26, 2009. Total Signature hits recorded till now - 137,480 hits (Signature statistics image below)

------------------------------------------------

--Original publish date: February 26, 2009---

SonicWALL UTM Research team observed a new spam campaign starting today, February 26, 2009 which involves a fake e-mail pretending to be arriving from Delta Airlines and containing passenger itinerary receipt. The email has a zip archived attachment which contains the new Trojan executable.

SonicWALL has received more than 1,000 e-mail copies of this malware so far. The e-mail message contains:

Attachment: delta_RQ763.zip (contains delta_RQ763.exe)

Subject:

  • Confirmation of airline ticket purchase at www.delta.com

Email Body:
------------------------
Thanks for the purchase!

Booking number: (random alpha-numeric string)

You will find attached to this letter PASSENGER ITINERARY RECEIPT of your electronic ticket. It verifies that you paid the ticket in full and confirms your right for air travel and luggage transportation by the indicated flight Delta Air Lines.

On board you will be offered: - beverages; - food; - daily press.

You are guaranteed top-quality services and attention on the part of our benevolent personnel.

We recommend you to print PASSENGER ITINERARY RECEIPT and take it alone to the airport. It will help you to pass control and registration procedures faster.

See you on board! Best regards,

Delta Air Lines
------------------------

A sample of spammed e-mail message looks like this:

screenshot

The executable file inside the zip attachment has an icon disguised as a Microsoft Excel file and it looks like following:

screenshot

The Trojan when executed creates following files:

  • (SYSTEM-DIR)twain32local.ds
  • (SYSTEM-DIR)twain32user.ds
  • (SYSTEM-DIR)twain32user.ds.lll
  • (SYSTEM-DIR)twex.exe

It modifies the following Registry key to ensure that Trojan runs every time the system restarts:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: "C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32twex.exe,"

It also tries to connect and download a file from the following URL:

  • hxxp://91.211.65.33/ejik/admin.bin (<- Encrypted configuration data file)

The Trojan has very low detection at the time of writing this alert. It is also known as trojan W32/Trojan2.FXRO [F-Prot] and Trojan-Dropper.Delf [Ikarus].

SonicWALL Gateway Antivirus provides protection against this malware via GAV: Delf.KD (Trojan) signature.

screenshot