Northwest Airlines spam

January 21, 2009

SonicWALL UTM Research team observed a new spam campaign starting on Monday, January 12, 2009 which involves a fake e-mail pretending to be arriving from Northwest Airlines and containing Airline Ticket. The email has a zip archived attachment which contains the new Trojan.

SonicWALL has received more than 2,000 e-mail copies of this malware so far. The e-mail looks like following:

Attachment: NorthwestAirlines.zip (contains NorthwestAirlines.exe) or eTicket.zip (contains eTicket.exe)

From: Northwest Airlines (tickets at nwa.com) [Spoofed Email Address]

Subject:

  • E-ticket #(10 digit random number)

Email Body:
------------------------
Hello!

Thank you for using our new service "Buy Northwest Airlines ticket Online" on our website.
Your account has been created:

Your login: (random email address)
Your password: passXXXX (where X = [0-9] OR [A-Z])

Your credit card has been charged for $4NN.NN. (N=0-9)
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the Northwest Airlines ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
Mel Michael
Northwest Airlines
------------------------

The executable file inside the zip attachment has an icon disguised as a Microsoft Word document. The Trojan when executed performs following host level activity:

  • Creates a directory twain32 in the system folder and drops files user.ds.lll, user.ds, and local.ds in it.
  • Drops a copy of itself as SYSTEM32twex.exe

It modifies the following Registry key for itself:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: "SYSTEM32userinit.exe,SYSTEM32twex.exe,"

It also tries to connect and download files from the following URLs:

  • 91.211.65.33/ferrari/admin.bin

The Trojan is also known as Win32/Spy.Zbot.DZ trojan [Eset], trojan W32/Trojan3.UW [F-Prot], and TR/Spy.ZBot.jzb [AntiVir]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Pakes.ARF (Trojan) signature [12,696 hits recorded].

screenshot