MX Lab, http://www.mxlab.eu, detected a new trojan variant distribution in fake emails from Booking.com regarding an hotel reservation. The email has the subject “Hotel Reservation ”. The number will vary in each email.
The email is send from the spoofed address “Booking.com <email@example.com>” and has the following body:
(Eden Rock) 8785896
Date: Wed, 22 Aug 2012 20:57:25 +0100 —
Herewith you receive the electronic reservation for your hotel. Please refer to attached file for full details.
Arrival: Friday, August 24, 2012
Departure: Sunday, August 26, 2012
Number of rooms: 1
Customer Service Team
Your Reference ID is: 3806087
The Booking.com reservation service is free of charge. We do not charge you any booking fees or administration fees, and in many cases rooms offer free cancellation.
-Booking.com guarantees the best hotel rates in both cities and regional destinations – ranging from small family hotels to luxury hotels.
The attached ZIP file is in the format: Hotel-Booking_Confirmation****.zip. The stars represent various naming like for example: Hotel-Booking_Confirmation-Eden Rock or Hotel-Booking_Confirmation-41, London. Each email has a different naming.
The extracted file however has the name Hotel-Booking_Confirmation.exe and is approx. 55 kB large.
The trojan is known as BDS/Andromeda.EB.6, W32/Falab.J5.gen!Eldorado, Trojan-Dropper:W32/Agent.DUER, Trojan.Generic.KDV.704509 and others.
At the time of writing, 17 of the 36 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: 7f472d30ba32d6df227b13160ab7e9da6fe4cc91f34425172e77fc8474b7b082.