Emails with ZIP attachment from Delta Airlines contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject like:

Your ticket #ID6282
Download your ticket #2969
You can download your ticket #NR2881
Order #NR6758

The email is send from the spoofed address “Delta Air Lines <help9565@delta.com>” and has the following body:

Dear Customer,

ELECTRONIC TICKET NUMBER / 3 506 1139035813 3
SEAT / 31A/ZONE 1
DATE / TIME 16 April, 2012, 10:28 PM
ARRIVING / Fremont
FORM OF PAYMENT / CC
TOTAL PRICE / 379.79 USD
REF / KE7146 ST / OK
BAG / 5PC

Your bought ticket is attached.
You can print your ticket.

Thank you for using our airline company services.
Delta Air Lines.

The attached ZIP file has the name Delta_Air_Lines_Ticket_ID271-3714.zip and contains the 57 kB large file Delta_Air_Lines_Ticket_ID271-3714.exe (the numbers can change).

In one extraction we also found a folder named “ghnswdeW-sistem” with empty .txt files with random naming.

The trojan is known as Generic VB.i (McAfee), a variant of Win32/Injector.PVR (NOD32), Troj/Bredo-VJ (Sophos), Trojan.Smoaler (Symantec).

At the time of writing, only 12of the 42 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 60800d4034445370c07ec3d27d61144559038eaf46610b500dd17074825ad97c.

18 Responses to Emails with ZIP attachment from Delta Airlines contains trojan

  1. Michael Pattavina says:

    i also experienced the same virus embedded in a similar Delta ticket email and detected by my email carrier GMX

  2. madhavan says:

    Can’t we inform the delta.com web admin about this.

    • Steph says:

      Tried!!!! Cannot get through on their phone or by customer care or complaint forms by email!!! Glad to have found this site! I opened the email BUT NOT the zip file! Am I okay then??

    • jimchik says:

      On the email I received (Oct 9 2012), the domain was deltaa.com, not simply delta.com (no_reply@deltaa.com), which would be a reason why no one at delta.com can really do anything. In other words, the entire domain is now a spoof. The text:

      Order Notification,

      ELECTRONIC TICKET / EH707153233
      SEAT / 56E/ZONE 3
      DATE / TIME 15 AUGUST, 2012, 11:45 PM
      ARRIVING / Cincinnati
      FORM OF PAYMENT / CC
      TOTAL PRICE / 226.49 USD
      REF / KE.9284 ST / OK
      BAG / 1PC

      Your bought ticket is attached.
      You can print your ticket.

      Thank you
      Delta Air Lines.

      Spam detection from my domain host (Machighway.com) labeled it as such.

  3. Chris says:

    If Delta.com had an SPF record I suspect the Spammer would probably pick on an easier target

  4. Jim says:

    I also received a ticket notice with a zip file. I did not open it. I can’t get into Delta’s site to report the spam and possible troan. What’s happening with Delta’s site?

  5. Wilson says:

    I received the email through a Juno account. Upon download of zip file Juno’s account indicated no virus found. They have lousy virus protection. I noticed McAfee’s access protection and buffer over flow protection was turned off. Re-enabled them and checked update. Auto Update had failed. Manually updated and manually ran full scan, McAfee found 160 files associated to this email virus. Scheduled full scan performed 1 hour before getting the email came up clean.

  6. donna says:

    Mine was sent via support.4@delta.com.

  7. Splashy says:

    I got it twice from service@delta.com and from ticket450@delta.com
    Kaspersky notified me that it cleaned the emails.

  8. helen says:

    well I downloaded it to find out what it was all about and now am b…..ered.how can I get rid of it?

  9. Scott says:

    got one today with the following details:
    Hello,

    E-TICKET NUMBER / EH256352799
    SEAT / 69F/ZONE 1
    DATE / TIME 24 AUGUST, 2012, 11:25 AM
    ARRIVING / New Orleans
    FORM OF PAYMENT / CC
    TOTAL PRICE / 236.55 USD
    REF / OE.5701 ST / OK
    BAG / 5PC

    Your bought ticket is attached.
    To use your ticket you should print it.

    Thank you
    Delta Air Lines.
    payload was 37.1KB

    Recevied from service.844@delta.com

  10. Dutchman says:

    Harmfull spam with a virus! Please inform Delta Airlines.

    Dear Customer,

    E-TICKET / EH766548492
    SEAT / 44E/ZONE 1
    DATE / TIME 1 AUGUST, 2012, 10:25 PM
    ARRIVING / Lake City
    FORM OF PAYMENT / CC
    TOTAL PRICE / 261.85 USD
    REF / EF.5291 ST / OK
    BAG / 5PC

    Please find your ticket attached.
    To use your ticket you should print it.

    Thank you for your attention.
    Delta Air Lines.

  11. Mary E. Garrett says:

    I received an e-mail from Delta Air Lines (manager@delta.com) today notifying me of my ticket #, seat, date and time, arriving in Wichita, Form of Payment/cc, price, etc. It stated “Your bought ticket is attached. To use your ticket you should print it. Thank you Dela Air Lines.” At this point I called Delta Airlines to ask about it and was advised this was fraudulent, not to open it, to delete it immediately which I did and to contact “www.delta air lines.com.Phishing” which I did. As advised I have changed my PIN No. Thank you so much. Your representative by phone was extremely polite and helpful.

  12. Elena says:

    I have open the attachment. It came from service.116@delta.com. What can I do now?

  13. Nicole says:

    Dear Customer,

    ELECTRONIC TICKET NUMBER / EH437238473
    SEAT / 59E/ZONE 2
    DATE / TIME 20 OCTOBER, 2012, 12:45 PM
    ARRIVING / Stockton
    FORM OF PAYMENT / XXXXXX
    TOTAL PRICE / 221.89 USD
    REF / OE.3616 ST / OK
    BAG / 7PC

    Your bought ticket is attached to the letter as a scan document.
    You can print your ticket.

    Thank you for your attention.
    Delta Air Lines.

  14. CF says:

    Just got it in my yahoo mail – it was flagged a spam. I did not open the attachment. The weird thing is that I AM going to Austin on Delta next month. Spooky. But that must be a HUGE plane to have 70 rows of seats… and other spam emails say that you’re checking up to 7 bags. Seriously – who does that?

    Hello,

    TICKET / EH983325246
    SEAT / 70E/ZONE 2
    DATE / TIME 3 AUGUST, 2012, 12:35 PM
    ARRIVING / Austin
    FORM OF PAYMENT / XXXXXX
    TOTAL PRICE / 271.03 USD
    REF / KE.7413 ST / OK
    BAG / 1PC

    Your bought ticket is attached to the letter as a scan document.
    To use your ticket you should print it.

    Thank you for using our airline company services.
    Delta Air Lines.

  15. erroniferous says:

    I also got this email in my hotmail account’s junk mail: Domain was: Delta Air Lines (order.864@deltaa.com). My email read:
    Hello,

    ELECTRONIC TICKET / EH170380887
    SEAT / 43E/ZONE 3
    DATE / TIME 13 AUGUST, 2012, 09:55 AM
    ARRIVING / Philadelphia
    FORM OF PAYMENT / XXXXXX
    TOTAL PRICE / 217.07 USD
    REF / KE.6764 ST / OK
    BAG / 5PC

    Your bought ticket is attached.
    To use your ticket you should print it.

    Thank you for using our airline company services.
    Delta Air Lines.

Follow

Get every new post delivered to your Inbox.

Join 348 other followers

%d bloggers like this: