MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Order#62910621 – PROCESSED” (note that number will vary with each email) that confirms a ticket from Delta Airlines.
The email is send from the spoofed address “Delta Airlines <email@example.com>” and has the following body:
Your credit card has been successfully processed.
FLIGHT NUMBER DT9801298017US
DATE & TIME / AUG 24, 2013, 13:45
ARRIVING / Washington
TOTAL PRICE / 501.33 USD
Please download and print your ticket from the following URL :
For more information regarding your order, contact us by visiting :
The embedded URLs will allow you to download the ZIP file that listens to the name pdf_delta_ticket.zip and contains the 410 kB large file pdf_delta_ticket.scr.
The trojan is known as Trojan/Win32.Zbot, a variant of Win32/Injector.ALHC, Artemis!232279EF3B8D, Trojan.FakeSCR, UDS:DangerousObject.Multi.Generic, or Trojan.Zbot!gen51.
At the time of writing, 7 of the 46 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: 30c837b632563e9224423793dbec251edcf38c2bd154b588ea40ce9c23b38a02.