MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject in the format “Your Order#74267102 – PROCESSED”.
The email is send from the spoofed address “Air Canada <email@example.com>” and has the following body:
Your order has been successfully processed.
FLIGHT NUMBER TB7392CA
DATE & TIME / DECEMBER 6, 2012, 10:30 AM
DEPARTING / Toronto
TOTAL PRICE / 375.12 CAD
Please download and print your ticket from the following URL : http://www.aircanada.com/aco/manageMyBookings.do?tid=TB7392CA&ticket_number=74267102
For more information regarding your order, contact us by visiting , visit : http://www.aircanada.com/en/customercare/index.html?orderid=74267102&ssid=1524
The embedded URL does not points the browser to the real web site address but to hxxp://air-canada.org/tickets/ticketTB7392CA.zip. Once this file is extracted you will have the 175 kB large file ticketTB7392CA.scr.
The trojan is known as Trojan-Spy.Win32.Zbot.gtvm, Trojan.Zbot or Trojan.Agent/Gen-Festo.
At the time of writing, 4 of the 46 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: 1eb3236e4461f1f4bf5293987186461921d114e820725c7a7b0d5c9fcd9faba4.