Emails with ZIP attachment from Delta Airlines contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject like:

Your ticket #ID6282
Download your ticket #2969
You can download your ticket #NR2881
Order #NR6758

The email is send from the spoofed address “Delta Air Lines <help9565@delta.com>” and has the following body:

Dear Customer,

ELECTRONIC TICKET NUMBER / 3 506 1139035813 3
SEAT / 31A/ZONE 1
DATE / TIME 16 April, 2012, 10:28 PM
ARRIVING / Fremont
FORM OF PAYMENT / CC
TOTAL PRICE / 379.79 USD
REF / KE7146 ST / OK
BAG / 5PC

Your bought ticket is attached.
You can print your ticket.

Thank you for using our airline company services.
Delta Air Lines.

The attached ZIP file has the name Delta_Air_Lines_Ticket_ID271-3714.zip and contains the 57 kB large file Delta_Air_Lines_Ticket_ID271-3714.exe (the numbers can change).

In one extraction we also found a folder named “ghnswdeW-sistem” with empty .txt files with random naming.

The trojan is known as Generic VB.i (McAfee), a variant of Win32/Injector.PVR (NOD32), Troj/Bredo-VJ (Sophos), Trojan.Smoaler (Symantec).

At the time of writing, only 12of the 42 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 60800d4034445370c07ec3d27d61144559038eaf46610b500dd17074825ad97c.

18 Responses to Emails with ZIP attachment from Delta Airlines contains trojan

  1. Michael Pattavina says:

    i also experienced the same virus embedded in a similar Delta ticket email and detected by my email carrier GMX

  2. madhavan says:

    Can’t we inform the delta.com web admin about this.

    • Steph says:

      Tried!!!! Cannot get through on their phone or by customer care or complaint forms by email!!! Glad to have found this site! I opened the email BUT NOT the zip file! Am I okay then??

    • jimchik says:

      On the email I received (Oct 9 2012), the domain was deltaa.com, not simply delta.com (no_reply@deltaa.com), which would be a reason why no one at delta.com can really do anything. In other words, the entire domain is now a spoof. The text:

      Order Notification,

      ELECTRONIC TICKET / EH707153233
      SEAT / 56E/ZONE 3
      DATE / TIME 15 AUGUST, 2012, 11:45 PM
      ARRIVING / Cincinnati
      FORM OF PAYMENT / CC
      TOTAL PRICE / 226.49 USD
      REF / KE.9284 ST / OK
      BAG / 1PC

      Your bought ticket is attached.
      You can print your ticket.

      Thank you
      Delta Air Lines.

      Spam detection from my domain host (Machighway.com) labeled it as such.

  3. Chris says:

    If Delta.com had an SPF record I suspect the Spammer would probably pick on an easier target

  4. Jim says:

    I also received a ticket notice with a zip file. I did not open it. I can’t get into Delta’s site to report the spam and possible troan. What’s happening with Delta’s site?

  5. Wilson says:

    I received the email through a Juno account. Upon download of zip file Juno’s account indicated no virus found. They have lousy virus protection. I noticed McAfee’s access protection and buffer over flow protection was turned off. Re-enabled them and checked update. Auto Update had failed. Manually updated and manually ran full scan, McAfee found 160 files associated to this email virus. Scheduled full scan performed 1 hour before getting the email came up clean.

  6. donna says:

    Mine was sent via support.4@delta.com.

  7. Splashy says:

    I got it twice from service@delta.com and from ticket450@delta.com
    Kaspersky notified me that it cleaned the emails.

  8. helen says:

    well I downloaded it to find out what it was all about and now am b…..ered.how can I get rid of it?

  9. Scott says:

    got one today with the following details:
    Hello,

    E-TICKET NUMBER / EH256352799
    SEAT / 69F/ZONE 1
    DATE / TIME 24 AUGUST, 2012, 11:25 AM
    ARRIVING / New Orleans
    FORM OF PAYMENT / CC
    TOTAL PRICE / 236.55 USD
    REF / OE.5701 ST / OK
    BAG / 5PC

    Your bought ticket is attached.
    To use your ticket you should print it.

    Thank you
    Delta Air Lines.
    payload was 37.1KB

    Recevied from service.844@delta.com

  10. Dutchman says:

    Harmfull spam with a virus! Please inform Delta Airlines.

    Dear Customer,

    E-TICKET / EH766548492
    SEAT / 44E/ZONE 1
    DATE / TIME 1 AUGUST, 2012, 10:25 PM
    ARRIVING / Lake City
    FORM OF PAYMENT / CC
    TOTAL PRICE / 261.85 USD
    REF / EF.5291 ST / OK
    BAG / 5PC

    Please find your ticket attached.
    To use your ticket you should print it.

    Thank you for your attention.
    Delta Air Lines.

  11. Mary E. Garrett says:

    I received an e-mail from Delta Air Lines (manager@delta.com) today notifying me of my ticket #, seat, date and time, arriving in Wichita, Form of Payment/cc, price, etc. It stated “Your bought ticket is attached. To use your ticket you should print it. Thank you Dela Air Lines.” At this point I called Delta Airlines to ask about it and was advised this was fraudulent, not to open it, to delete it immediately which I did and to contact “www.delta air lines.com.Phishing” which I did. As advised I have changed my PIN No. Thank you so much. Your representative by phone was extremely polite and helpful.

  12. Elena says:

    I have open the attachment. It came from service.116@delta.com. What can I do now?

  13. Nicole says:

    Dear Customer,

    ELECTRONIC TICKET NUMBER / EH437238473
    SEAT / 59E/ZONE 2
    DATE / TIME 20 OCTOBER, 2012, 12:45 PM
    ARRIVING / Stockton
    FORM OF PAYMENT / XXXXXX
    TOTAL PRICE / 221.89 USD
    REF / OE.3616 ST / OK
    BAG / 7PC

    Your bought ticket is attached to the letter as a scan document.
    You can print your ticket.

    Thank you for your attention.
    Delta Air Lines.

  14. CF says:

    Just got it in my yahoo mail – it was flagged a spam. I did not open the attachment. The weird thing is that I AM going to Austin on Delta next month. Spooky. But that must be a HUGE plane to have 70 rows of seats… and other spam emails say that you’re checking up to 7 bags. Seriously – who does that?

    Hello,

    TICKET / EH983325246
    SEAT / 70E/ZONE 2
    DATE / TIME 3 AUGUST, 2012, 12:35 PM
    ARRIVING / Austin
    FORM OF PAYMENT / XXXXXX
    TOTAL PRICE / 271.03 USD
    REF / KE.7413 ST / OK
    BAG / 1PC

    Your bought ticket is attached to the letter as a scan document.
    To use your ticket you should print it.

    Thank you for using our airline company services.
    Delta Air Lines.

  15. erroniferous says:

    I also got this email in my hotmail account’s junk mail: Domain was: Delta Air Lines (order.864@deltaa.com). My email read:
    Hello,

    ELECTRONIC TICKET / EH170380887
    SEAT / 43E/ZONE 3
    DATE / TIME 13 AUGUST, 2012, 09:55 AM
    ARRIVING / Philadelphia
    FORM OF PAYMENT / XXXXXX
    TOTAL PRICE / 217.07 USD
    REF / KE.6764 ST / OK
    BAG / 5PC

    Your bought ticket is attached.
    To use your ticket you should print it.

    Thank you for using our airline company services.
    Delta Air Lines.

%d bloggers like this: