MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject like:
Your ticket #ID6282
Download your ticket #2969
You can download your ticket #NR2881
The email is send from the spoofed address “Delta Air Lines <email@example.com>” and has the following body:
ELECTRONIC TICKET NUMBER / 3 506 1139035813 3
SEAT / 31A/ZONE 1
DATE / TIME 16 April, 2012, 10:28 PM
ARRIVING / Fremont
FORM OF PAYMENT / CC
TOTAL PRICE / 379.79 USD
REF / KE7146 ST / OK
BAG / 5PC
Your bought ticket is attached.
You can print your ticket.
Thank you for using our airline company services.
Delta Air Lines.
The attached ZIP file has the name Delta_Air_Lines_Ticket_ID271-3714.zip and contains the 57 kB large file Delta_Air_Lines_Ticket_ID271-3714.exe (the numbers can change).
In one extraction we also found a folder named “ghnswdeW-sistem” with empty .txt files with random naming.
The trojan is known as Generic VB.i (McAfee), a variant of Win32/Injector.PVR (NOD32), Troj/Bredo-VJ (Sophos), Trojan.Smoaler (Symantec).
At the time of writing, only 12of the 42 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: 60800d4034445370c07ec3d27d61144559038eaf46610b500dd17074825ad97c.