ZBot trojan attached to flight ticket confirmation
July 25, 2008 20 Comments
A new variant of the ZBot trojan is attached to a flight ticket confirmation email. Possible subject lines are:
Your order N9708902
Online order for ticket N688610
Online order for airplane ticket N688610
Your ticket from {airlines} N3076437
Your ticket from {airlines}
Your airplane ticket
The contents of the message:
Good day,
Thank you for using our new service “Buy flight ticket Online” on our website.
Your account has been created:Your login: Chapmanavance
Your password: passMWS8Your credit card has been charged for $405.36.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%! Attached to this message is the purchase Invoice and the airplane ticket. To use your ticket, simply print it on a color printed, and you are set to take off for the journey!
Kind regards,
Rusty Doherty
Delta Air Lines
Attachments are .zip files with filename E-ticket_N7399294.zip (random number) with inside a E-ticket_N7399294_and_Invoice_for_N73992943442.exe.
On an infected computer the trojan will create a new files like %System%\ntos.exe, %System%\wsnpoem\audio.dll, %System%\wsnpoem\video.dll and creates a new directory %System%\wsnpoem.
It also adds and modifies entries in the Windows registry and make connection with a server for http://*********.ru/alaska/alaska.bin. It opens random TCP ports in order to provide backdoor capabilities.
Virus Total permalink and the MD5 hash: e3254936ed358457ed303529e7c2fa8f.
I’ve today received an identical email (from American Airlines). The sender’s return email address is erkke@bradigans.com which I believe is a fake one. Email and attachment deleted without opening.
Today received a simular e-mail.
see below, not opened the attachment eTicket.zip, return e-mail tej@qeddata.com
Your order N2624396
Good day,
Thank you for using our new service “Buy flight ticket Online” on our website.
Your account has been created:
Your login: epskamp@chello.nl
Your password: pass281N
Your credit card has been charged for $461.34.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the airplane ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!
PASSWORD for ZIP arhive is: ticket
Kind regards,
Rochelle Sheehan
Delta Air Lines
Also recieved a simular mail.
See below:
Good day,
Thank you for using our new service “Buy flight ticket Online” on our website.
Your account has been created:
Your login: heisa@chello.nl
Your password: passAAXF
Your credit card has been charged for $479.79.
We would like to remind you that whenever you order tickets on our website you
get a discount of 10%!
Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printed, and you are set to take
off for the journey!
PASSWORD for ZIP arhive is: ticket
Kind regards,
Gail Bonner
US Airways
I received same kind of message from Britney Mann Sun Country airlines, gemmbuggf@bobsinger.com with this headerinfo:
”
From – Mon Aug 11 00:42:15 2008
X-Account-Key: account1
X-UIDL:
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
X-Mozilla-Keys:
Return-Path:
Received: from p5B1023D7.dip0.t-ipconnect.de ([91.16.35.215])
by viefep11-int.chello.at
(InterMail vM.7.08.02.02 201-2186-121-104-20070414) with ESMTP
id ;
Mon, 11 Aug 2008 00:05:32 +0200
Received: from [91.16.35.215] by mx1.antispam.lissonline.com; Sun, 10 Aug 2008 23:05:31 +0100
Message-ID:
From: “Britney Mann” Sun Country Airlines
To: XXXXXXXXXXXXX
Subject: Your order N6991212
Date: Sun, 10 Aug 2008 23:05:31 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”—-=_NextPart_000_0006_01C8FB3D.961B2F80″
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6700
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
X-Antivirus: avast! (VPS 080809-0, 09-08-2008), Inbound message
X-Antivirus-Status: Clean
I have received a similar email like the ones stated above. Another user in the domain has opened this attachment. What is your suggested course of action to remove this Trojan?
suggested course of action is – don’t open unsolicited email – has this person been on another planet for the past 5 years – how stupid can you be?
Due to higher petrol price the price of the ticket has increased to $ 694.21
I have received a couple of these emails about plane tickets. I knew it was a scam straight away as I dont even have a credit card. Details are as follows:
Return-Path:
Received: from host102-53-static.43-85-b.business.telecomitalia.it (host102-53-static.43-85-b.business.telecomitalia.it [85.43.53.102])
by mail11.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id m8Q9gA2v019380;
Fri, 26 Sep 2008 19:42:31 +1000
Received: from [85.43.53.102] by dkcphmx02.softcom.dk; Fri, 26 Sep 2008 10:42:36 +0100
From: USA3000 Airlines
To:
Subject: Your Online Flight Ticket N 30030
Date: Fri, 26 Sep 2008 10:42:36 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”—-=_NextPart_000_000E_01C91FC4.96C03600″
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
Thread-Index: Aca6Q5UXW7HGQH88X7HZ4HXSJS4O6Q==
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Message-ID:
X-Antivirus: avast! (VPS 080925-0, 25/09/2008), Inbound message
X-Antivirus-Status: Clean
I recieved a version of this hoax today. Said it was from Spirit Airlines.
Dear Gentlemen,
Thank you for using our new service “Buy airplane ticket Online” on our website.
Your account has been created:
Your login: craigskelton@aapt.net.au
Your password: PASSYXR7
Your credit card has been charged for $955.28.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!
Kind regards,
Spirit Airlines
It had the ‘E-ticket.zip’ attachment.
“New service “Buy airplane ticket Online”" The first airline ticket I bought online was in 1998, so 10 years ago… If this is a “new” service, the name of the airline better be something like “Third World Air” or something, and with a name like “Buy airplane ticket Online,” it should also be clear that the website was translated from Swahili or something, and wasn’t orginally written in English.
But neither of those assumptions work with the “from” address of “Frontier Airlines”
Same thing… didnt open the attachments.. but checked my credit card to make sure, as it looks pretty convincing, and amazing no spelling errors, but one grammatical one “color printed” instead of ‘printer’,which usually give these things away…. so all deleted and gone…
Dear Sirs,
Thank you for using our new service “Buy airplane ticket Online” on our website.
Your account has been created:
Your login: xxxxx@blahblah.com.au
Your password: PASS4AFV
Your credit card has been charged for $988.63.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!
Kind regards,
USA3000 Airlines
As follows:
Subject: Your Online Flight Ticket N 22401
Good morning,
Thank you for using our new service “Buy airplane ticket Online” on our website.
Your account has been created:
Your login: brady.xxxxxxx@xxxxxxxxx.com
Your password: PASSMMW6
Your credit card has been charged for $984.29.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the airplane ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!
Kind regards,
AirTran Airways
E-ticket.zip
Fantastic, I purchased airline tickets online and send itineraries to myself and my boyfriend. He was waiting on it and thought that this fake e-mail was legitimate. Now his laptop is infected. He has not been on another planet for the last 5 years, but that is how this crap works on people who are actually planning to travel. If this is sent to millions of people, chances are that at least some of them have actually made plans to travel. So if you don’t have a suggestion as to what can be done, other than buying a new computer, it would be great if you would stop taking up space on these boards ridiculing people that actually have this problem. Snarky comments and snide remarks are neither helpful nor humorous.
Hi sgg,
How far can the laptop log in?
Can the user log in, if so, can the user see desktop items etc..?
There is a few things you can do to fix this problem, rather than listing all (no time) – if you ans the ?’s above I will try and give you some sort of instructions…
I received this type of email yesterday – I did not open the attachment because it was an exe file…Here is what the email contained (along with Your_ETicket.zip attachment).
Hello!
Thank you for using our new service “Buy Northwest Airlines ticket Online” on our website.
Your account has been created:
Your login: 453cc1e2.5050806@weipert.us
Your password: passWK8L
Your credit card has been charged for $429.55.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the Northwest Airlines ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!
Kind regards,
Gabriela Norwood
Northwest Airlines
My wife received this email. Opened the zip file and then launched the executable!!! Genius. She says it gave her an error message. I’m uncertain what actually occurred. My hope is that it won’t work on her Mac. Any thoughts?
These trojans are only executable on the Windows platform. When opened on a MacOS X it won’t do any harm.
Please, don’t think that your OS is therefore secure and safe. Many people have the argument that using MacOS X or Unix/Linux is the way to avoid virus infections.
It is a fact that for these platforms there are less security risks when it involves viruses and trojans because all the malware is focussed for the Windows OS.
MacOS X is becoming more popular and the risk for viruses and trojans on this platform is rising. Thing is, that most of us don’t have an anti virus on these platforms because “we feel safe” and there aren’t much viruses. When they publish viruses infections could have more impact because of the missing security.
So the general rule is not to open attachments unless you are sure it’s safe and it’s from a well known source.
I was infected by opening a picture from a thumb print posted by The Inquisitr web site. Many pictures to see and I had already “enlarged” a few for viewing. And there was a pic of a guy in a ice cold pool, breaking a world record. Once I clicked to enlarge it, the page showing the large pic was also downloading the virus. I only realized it when I tried to close that page and it wouldn’t let me. Now, I cannot use any internet email (Hotmaiil, Gmail or Yahoo). Also, it re-direct alot of the links to other site I don’t want to go.
Found your blog via bing the other day and absolutely liked it so much. Carry on the excellent work.
I received an order confirmation from our company’s accounting@…. email address.
It was just like the ones above even though the url listed was http://www.aaa.com/flight-nyc/flightno54…. the real url that showed up was different. I quickly stopped it when it went elsewhere and will notify my company’s IT department in the morning.
Its back – not that it ever went away
Carlos in Illinois