Northwest Airlines email contains a trojan

January 13, 2009 by mxlab 17 Comments

A Trojan-Spy.Win32.Zbot.jzb (Kaspersky), W32/Trojan-Gypikon-based.BA!Maximus (F-Prot), PWS:Win32/Zbot.gen!R (Microsoft) is spreading around. The trojan is spread by an email with the subject E-ticket #4452444681 (numbers will change) and is send by Northwest Airlines <tickets@nwa.com>. This is obviously a spoofed senders address.

The email body content:

Hello!

Thank you for using our new service “Buy Northwest Airlines ticket Online” on our website.
Your account has been created:

Your login: ida.camacho@t********.com
Your password: passXNK0

Your credit card has been charged for $471.52.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the Northwest Airlines ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
Damian Muller
Northwest Airlines

Attached is a ZIP file named NorthwestAirlines.zip that contains the executable NorthwestAirlines.exe.

The Trojan-Spy.Zbot.YETH is a rootkit trojan which steals online banking information and downloads other malware as well. The origin is possibly the Russian Federation.

Local files created:

%System%\twain32\local.ds
%System%\twain32\user.ds
%System%\twain32\user.ds.lll 
%System%\twex.exe 

Several Windows registry changes are being made, one registry change makes ure that twex.exe is run every thime Windows starts, and the trojan makes connection with the host 91.211.65.33 on port 80 and a GET command is executed to ferrari/admin.bin.

So it has all the characteristics of the new UPS variant that I have posted earlier only with a Northwest Airlines wrapping to get your attention.

Virus Total permlink and MD5: 3060a4679f0163664b14f8aa59255791.

Filed under Viruses Tagged with , ,

17 Responses to Northwest Airlines email contains a trojan

  1. Ken Davenport says:
    January 13, 2009 at 4:06 pm

    Thank you, this is a service of value.

    Reply
  2. hägglöf says:
    January 13, 2009 at 4:42 pm

    man behöver inte bry sig om detta eller?

    tack för informationen.

    Reply
  3. Ben says:
    January 13, 2009 at 11:11 pm

    You saved me. Thanks

    Reply
  4. shagg says:
    January 13, 2009 at 11:34 pm

    Received same NW virus. Luckily it was captured by the Hotmail servers

    Reply
  5. Donncha says:
    January 14, 2009 at 12:10 pm

    Ouch. I have to wonder at how things have evolved. Years ago when floppy disks were still used, boot sector viruses were all the rage, but now the user actually has to click on a zip archive and then click an executable file.

    Something wrong there.

    Reply
  6. Art Encarnacao says:
    January 14, 2009 at 5:11 pm

    What action is required when you get this bogus email ?

    Reply
  7. mxlab says:
    January 14, 2009 at 5:24 pm

    Do not open and delete. Same policy applies to all those malicious emails.

    Reply
  8. Anon says:
    January 14, 2009 at 7:09 pm

    If the email, but not the attachment, has been opened, what steps should be taken?
    Thanks

    Reply
  9. George Herbig says:
    January 14, 2009 at 8:46 pm

    Hello Northwest:

    I have been charged $427.30 for a ticket I did not order, apparently
    part of this virus scam. Would you please see that the charge against
    my account is cancelled.

    George Herbig

    Reply
  10. Thor says:
    January 15, 2009 at 8:37 am

    Thanks for the info–right on. And very quick news release! Who would ever open an .exe attachment anyways? Could merely opening an email ever be dangerous?

    Hey Hagglof–Jeg tinker deg ikke kan forstor svensk? Tinker du englesk er bedder?

    Tussen Tak MX Lab!

    Reply
  11. James says:
    January 15, 2009 at 5:34 pm

    Please do not open the attachment and just delete.

    Please remember, this email did not actually come from NWA just from some scammer.

    George, you never got charged. However, if you opened the attachment you may lose a lot more than $427.

    Reply
  12. Frances says:
    January 16, 2009 at 2:20 pm

    I opened this attatchment and now my computer will not operate at all. It will not start in safe mode either. Where do I go from here?

    Reply
  14. doom and gloom says:
    January 16, 2009 at 9:06 pm

    received this today (after recently booking airline ticket with listed email address!), but googled to cjheck it and found this site – Norton didn’t catch it (not my pref choice of AV)

    one customer has now just phoned in having executed it and crashed his PC – looks like it’s spreading fast. any suggested removal tools, or rootkit scanners new enough to pick it up?

    Reply
  15. Jen says:
    January 18, 2009 at 3:23 am

    Cool. Thanks a ton for the alert. Remember, any emails you don’t know about, don’t open!

    http://www.squidoo.com/Trojan-Horse-Computer-Virus

    - Jen

    Reply
  16. dominic says:
    January 20, 2009 at 3:10 am

    hi all

    to those with non booting machines – download the latest copy of Hiren’s boot disk and burn to CD, along with latest McAfee DAT update file.

    Follow th instructions in the README for updating the virus defs by placing them into C:\VDEFS and do an offline scan.

    Reply
  17. dominic says:
    January 20, 2009 at 3:12 am

    sorry, to add – McAfee offline scanner is in wintools folder

    now don’t ever open attachment from an unkown source again ;)

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>