Fake Delta Airline ticket confirmation messages were found to be currently circulating where they contain a Trojan infection identified as W32/Trojan2.FXRO.
One of our readers gave us this tip reported on MXLab's blog (blog.mxlab.be).
During the past holiday season there were reports of email messages that spoofed airline companies spreading malware and the trend has continued. The current malware being spread comes attached as a zip file named delta_RQ763.exe to an email with the subject line "Confirmation of airline ticket purchase at www.delta.com." The spammers go even further to make this message look legitimate by spoofing the email address as firstname.lastname@example.org. To a normal computer user that message will appear to have legitimately come from Delta Airlines.
Hackers go to great lengths to spread malware even if it means sending out something as bogus as an airline confirmation message. You may ask the question, "who would believe this email is legitimate if they did not book a flight recently?" The fact of the matter is even if a person did not book a flight, they want to know what this message is all about. Many computer users will download the attached file because they think it could include details to assist them in a mix-up that Delta Airlines may have made in sending out the message in the first place. Tricky Hackers!
The fake Delta Airlines message reads as follows:
Thanks for the purchase!
Booking number: LVSN50
You will find attached to this letter PASSENGER ITINERARY RECEIPT of your electronic ticket.
It verifies that you paid the ticket in full and confirms your right for air travel and luggage transportation by the indicated flight Delta Air Lines.
On board you will be offered:
- daily press.
You are guaranteed top-quality services and attention on the part of our benevolent personnel.
We recommend you to print PASSENGER ITINERARY RECEIPT and take it alone to the airport. It will help you to pass control and registration procedures faster.
See you on board!
Delta Air Lines
The nature of the Trojan within the zip file attached to this fake email, identified as W32/Trojan2.FXRO, is to connect to remote hosts identified to be the following: 91.211.65.**/ejik/admin.bin and 91.211.65**/ejik/hot.php. This hosts were also identified by mxlab's blog. The hosts are connected too after opening the attachment and executing the exe. File contained within the zip file. A number of files are created in your System directory under the following paths: %System%\twain32\user.ds, %System%\twain32\local.ds %System%\twex.exe.
W32/Trojan2.FXRO Trojan is currently not being picked up by many security vendors. As time progresses and the W32/Trojan2.FXRO Trojan spreads then the complete removal solution for W32/Trojan2.FXRO Trojan will have files available for removal.
W32/Trojan2.FXRO Trojan's MD5 e3bf9ea4d7ddd59f0f27486f993fa2b2
Aliases: Trojan-Spy.Zbot.YETH, Trojan-Dropper.Delf, PE_Patch.UPX, W32/Trojan2.FXRO.
It is highly advisable that you pay extra attention to any type of email message that appears to have come from Delta Airlines may be the list bit suspicious. It is better to be safe than sorry in deleting a suspicious email. Remember, if an email message is very important or urgent then the sender may contact you through other means so it is okay to delete a message when in doubt about its authenticity.