Fake Air Canada emails with order confirmation contains URL that downloads malicious ZIP file, email is send from the spoofed address “Air Canada <firstname.lastname@example.org>” and has the following body:
Dear Customer,The embedded URL does not points the browser to the real web site address but to hxxp://air-canada.org/tickets/ticketTB7392CA.zip. Once this file is extracted you will have the 175 kB large file ticketTB7392CA.scr.
Your order has been successfully processed.
FLIGHT NUMBER TB8696CA
DATE & TIME / DECEMBER 5, 2012, 10:30 AM
DEPARTING / Toronto
TOTAL PRICE / 375.12 CAD
Please download and print your ticket from the following URL : http://www.aircanada.com/aco/manageMyBookings.do?tid=TB7392CA&ticket_number=75267302
For more information regarding your order, contact us by visiting , visit : http://www.aircanada.com/en/customercare/index.html?orderid=75267302&ssid=1866
The trojan is known as Trojan-Spy.Win32.Zbot.gtvm, Trojan.Zbot or Trojan.Agent/Gen-Festo.