Fake emails from Booking.com contains new trojan variant

MX Lab, http://www.mxlab.eu, detected a new trojan variant distribution in fake emails from Booking.com regarding an hotel reservation. The email has the subject “Hotel Reservation [3709602]”. The number will vary in each email.

The email is send from the spoofed address “Booking.com <customer.service@my.booking.com>” and has the following body:

Hotel Confirmation:
(Eden Rock) 8785896
Date: Wed, 22 Aug 2012 20:57:25 +0100 —

Herewith you receive the electronic reservation for your hotel. Please refer to attached file for full details.

Arrival: Friday, August 24, 2012

Departure: Sunday, August 26, 2012
Number of rooms: 1
Customer Service Team

Booking.com http://www.booking.com

Your Reference ID is: 3806087
The Booking.com reservation service is free of charge. We do not charge you any booking fees or administration fees, and in many cases rooms offer free cancellation.
-Booking.com guarantees the best hotel rates in both cities and regional destinations – ranging from small family hotels to luxury hotels.

The attached ZIP file is in the format: Hotel-Booking_Confirmation****.zip. The stars represent various naming like for example: Hotel-Booking_Confirmation-Eden Rock or Hotel-Booking_Confirmation-41, London. Each email has a different naming.

The extracted file however has the name Hotel-Booking_Confirmation.exe and is approx. 55 kB large.

The trojan is known as BDS/Andromeda.EB.6, W32/Falab.J5.gen!Eldorado, Trojan-Dropper:W32/Agent.DUER, Trojan.Generic.KDV.704509 and others.

At the time of writing, 17 of the 36 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 7f472d30ba32d6df227b13160ab7e9da6fe4cc91f34425172e77fc8474b7b082.

One thought on “Fake emails from Booking.com contains new trojan variant

  1. If I got the same email, does that mean that my email address is listed somewhere on internet, or has been stolen by some criminal? Is there any action I need to take at this point, besides deleting the email?

    Any help is appreciated. Thank you.

Comments are closed.