ZBot trojan attached to flight ticket confirmation

A new variant of the ZBot trojan is attached to a flight ticket confirmation email. Possible subject lines are:

Your order N9708902
Online order for ticket N688610
Online order for airplane ticket N688610
Your ticket from {airlines} N3076437
Your ticket from {airlines}
Your airplane ticket

The contents of the message:

Good day,

Thank you for using our new service “Buy flight ticket Online” on our website.
Your account has been created:

Your login: Chapmanavance
Your password: passMWS8

Your credit card has been charged for $405.36.

We would like to remind you that whenever you order tickets on our website you get a discount of 10%! Attached to this message is the purchase Invoice and the airplane ticket. To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,

Rusty Doherty
Delta Air Lines

Attachments are .zip files with filename E-ticket_N7399294.zip (random number) with inside a E-ticket_N7399294_and_Invoice_for_N73992943442.exe.

On an infected computer the trojan will create a new files like %System%\ntos.exe, %System%\wsnpoem\audio.dll, %System%\wsnpoem\video.dll and creates a new directory %System%\wsnpoem.

It also adds and modifies entries in the Windows registry and make connection with a server for http://*********.ru/alaska/alaska.bin. It opens random TCP ports in order to provide backdoor capabilities.

Virus Total permalink and the MD5 hash: e3254936ed358457ed303529e7c2fa8f.