Northwest Airlines spam
SonicWALL UTM Research team observed a new spam campaign starting on Monday, January 12, 2009 which involves a fake e-mail pretending to be arriving from Northwest Airlines and containing Airline Ticket. The email has a zip archived attachment which contains the new Trojan.
SonicWALL has received more than 2,000 e-mail copies of this malware so far. The e-mail looks like following:
Attachment: NorthwestAirlines.zip (contains NorthwestAirlines.exe) or eTicket.zip (contains eTicket.exe)
From: Northwest Airlines (tickets at nwa.com) [Spoofed Email Address]
- E-ticket #(10 digit random number)
Thank you for using our new service "Buy Northwest Airlines ticket Online" on our website.
Your account has been created:
Your login: (random email address)
Your password: passXXXX (where X = [0-9] OR [A-Z])
Your credit card has been charged for $4NN.NN. (N=0-9)
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the Northwest Airlines ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!
The executable file inside the zip attachment has an icon disguised as a Microsoft Word document. The Trojan when executed performs following host level activity:
- Creates a directory twain32 in the system folder and drops files user.ds.lll, user.ds, and local.ds in it.
- Drops a copy of itself as SYSTEM32twex.exe
It modifies the following Registry key for itself:
- HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: "SYSTEM32userinit.exe,SYSTEM32twex.exe,"
It also tries to connect and download files from the following URLs:
The Trojan is also known as Win32/Spy.Zbot.DZ trojan [Eset], trojan W32/Trojan3.UW [F-Prot], and TR/Spy.ZBot.jzb [AntiVir]
SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Pakes.ARF (Trojan) signature [12,696 hits recorded].