Description
Cisco Security Intelligence Operations has detected significant activity related to spam e-mail messages that claim to contain an airline ticket purchase notification for the recipient. The text in the e-mail message attempts to convince the recipient to open the link to download and print the ticket. However, the link contains a .zip file containing a malicious .scr file that, when executed, attempts to infect the system with malicious code.
E-mail messages that are related to this threat (RuleID5343) may contain the following files:
pdf_ticket_copy.zip
pdf_ticket_copy.scr
The pdf_ticket_copy.scr file in the pdf_ticket_copy.zip attachment has a file size of 272,231 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x0E57B31DF5ED48A77B8CE42209EE45A4
The following text is a sample of the e-mail message that is associated with this threat outbreak:
Subject: Your Order#63916372 - APPROVED
Message Body:
Dear Customer,
Your credit card has been successfully processed.
FLIGHT NUMBER ET62082CA
ELECTRONIC 63916372
DATE & TIME / FEB 19, 2013, 10:22 AM
ARRIVING / TORONTO
TOTAL PRICE / CAD 419.33
Please download and print your ticket from the following URL : hxxps://aircanada.com/travelInformation/viewOrderInfo.do?ticket_number=63916372&acton=download&fid=ET62082CA
For more information regarding your order, contact us by visiting : hxxp://www.aircanada.com/en/customercare/index.html
Thank you
America Airlines.
Source: Cisco