Northwest Airlines email contains a trojan

A Trojan-Spy.Win32.Zbot.jzb (Kaspersky), W32/Trojan-Gypikon-based.BA!Maximus (F-Prot), PWS:Win32/Zbot.gen!R (Microsoft) is spreading around. The trojan is spread by an email with the subject E-ticket #4452444681 (numbers will change) and is send by Northwest Airlines <tickets@nwa.com>. This is obviously a spoofed senders address.

The email body content:

Hello!

Thank you for using our new service “Buy Northwest Airlines ticket Online” on our website.
Your account has been created:

Your login: ida.camacho@t********.com
Your password: passXNK0

Your credit card has been charged for $471.52.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the Northwest Airlines ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
Damian Muller
Northwest Airlines

Attached is a ZIP file named NorthwestAirlines.zip that contains the executable NorthwestAirlines.exe.

The Trojan-Spy.Zbot.YETH is a rootkit trojan which steals online banking information and downloads other malware as well. The origin is possibly the Russian Federation.

Local files created:

%System%\twain32\local.ds
%System%\twain32\user.ds
%System%\twain32\user.ds.lll 
%System%\twex.exe 

Several Windows registry changes are being made, one registry change makes ure that twex.exe is run every thime Windows starts, and the trojan makes connection with the host 91.211.65.33 on port 80 and a GET command is executed to ferrari/admin.bin.

So it has all the characteristics of the new UPS variant that I have posted earlier only with a Northwest Airlines wrapping to get your attention.

Virus Total permlink and MD5: 3060a4679f0163664b14f8aa59255791.