Backdoor Trojan disguised as flight confirmation email hits German internet users

Filed Under: Featured, Malware, Spam

German internet users should be on their guard today, after malware was widely spammed out posing as a flight confirmation from Lufthansa.

Malicious email. Click for larger version

Subject: Flugdetails & Reiseinformationen
Attached file:

Falls Sie diese Reiseinformation nicht oder nur teilweise lesen konnen, offnen Sie bitte die angehangte PDF-Version. Bitte antworten Sie nicht auf diese E-Mail. Direkt-Antworten an den Absender konnen nicht bearbeitet werden. Um mit Lufthansa in Kontakt zu treten, rufen Sie bitte den Hilfe & Kontakt-Bereich auf auf.

Flugscheindetails & Reiseinformationen in der beigefugten Datei

* Den Passenger Receipt (Rechnungsbeleg) erhalten Sie durch einen Klick auf die Flugscheinnummer bis 30 Tage nach Reisebeginn.

Of course, the emails don't really come from Lufthansa - but it's likely that some internet users will have been duped into clicking on the attachment, even if they aren't planning to travel anywhere, our of sheer curiousity.

The attached ZIP file contains a file called Flugsheindetails.PDF.exe, clearly named in an attempt to trick the unwary into believing it is a PDF.

Running the program, installs its malicious code onto the computer, disguising itself as svchost.exe to allay the suspicions of anyone checking the list of running processes. A Registry key of SunJavaUpdateSched is also set.

Lufthansa aircraft. Image from ShutterstockMeanwhile, behind the scenes, the code has opened a backdoor on your compromised computer - allowing a third party hacker to send commands, and potentially steal information or install further malware on your computer.

Sophos products detect the ZIP file as Mal/DrodZp-A, and the EXE as Mal/EncPk-AFN.

Although German-speaking computer users are clearly the ones being targeted on this occasion, the same social engineering trick is likely to work in any language.

Everyone should be on their guard from unsolcited emails, carrying strange attachments.

Thanks to SophosLabs researcher Richard Wang for his assistance with this article

Lufthansa aircraft image from Shutterstock.

, ,

You might like

5 Responses to Backdoor Trojan disguised as flight confirmation email hits German internet users

  1. Freida Gray · 990 days ago

    Would it be a safe bet to view all double extension items as malware?

    • 3bbing · 990 days ago

      definitely when it ends with .exe - Problem is though, that most of the people who would fall for that don't have activated the option to show the file extensions when their System knows the extension, this leads to the situation that a file named xyz.pdf.exe is only shown as xyz.pdf with the exe hidden - you see where I want to go.

      Also, there are legitimate double extension files like xyz.tar.gz .

      So it would be safer, yes, but not for every configuration visible on first sight and it also leads to false positives.

  2. Peter G · 990 days ago

    Grammar and spelling became bloody good. :-/ (or is it Google translate ;) )
    Subsequently focus on spelling details e.g. können instead of konnen

  3. Richard P · 989 days ago

    Also with regard to German spelling:

    "Flugsheindetails.PDF.exe" should read "Flugscheindetails.PDF.exe" (with a "c").

    Is that your error or the malware writer's error?

    Also, would it bean idea to get the text of the email translated into English for the benefit of your non-German-reading readers?

    Richard P

  4. Tina · 989 days ago

    So, what is going to happen once I opened that Email , what I did on my I pad...???

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley