MX Lab, http://www.mxlab.eu, started to intercept a few samples of a new trojan distribution campaign by email with the subject “Please download your ticket #NR4692” or “Please download your ticket #1881” (numbers will change in the emails).
The email is send from the spoofed address “American Airlines <email@example.com>” and has an embedded image with the instructions to print your flight ticket.
This is a typical example of the technique that is being used with image based spam in the past. The body also contains three paragraphs of text kept hidden from the reader.
<p style="color: rgb(255, 255, 255);">Youl aske me why I rather choose to haue A weight of carrion flesh, then to receiue Three thousand DucatsIle not answer that But say it is my humor; Is it answered What if my house be troubled with a Rat, And I be pleasd to giue ten thousand Ducates To haue it baind What, are you answerd yet Some men there are loue not a gaping Pigge Some that are mad, if they behold a Cat And others, when the bag-pipe sings ith nose, Cannot containe their Vrine for affection. Masters of passion swayes it to the moode Of what it likes or loaths, now for your answer As there is no firme reason to be rendred Why he cannot abide a gaping Pigge Why he a harmlesse necessarie Cat Why he a woollen bag-pipe but of force Must yeeld to such ineuitable shame, As to offend himselfe being offended So can I giue no reason, nor I will not, More then a lodgd hate, and a certaine loathing I beare Anthonio, that I follow thus A loosing suite against him Are you answered Bass. </p>
The URL behind the image leads to hxxp://www.thepilatesstudio.ca/VZGTLYJTVT.htm and this site contains the following HTML code:
<!DOCTYPE html PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>
<meta content=”text/html; charset=Windows-1251″ http-equiv=”content-type”>
The downloaded AA_Ticket.zip contains AA_Ticket.exe.
The trojan is known as W32/Zortob.AA!tr, Mal/EncPk-AED, Posible_Worm32 or PAK_Generic.001.
At the time of writing, only 6 of the 41 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: d1af9462258ace66c58d6d9029cb3d2992ed31eb7365874b9135a85199f6554e.