Malware delivered with fake hotel reservations

We wrote last week about Malware delivered with fake Craigslist fax-to-email notifications.This week’s malware delivery mechanism is a fake email notification from the well-known online hotel reservations portal


The malware is delivered when you click on “Print Booking Details” via an archive which should contain the form with the reservation details. In order to fool the user to open and execute the binary file, the email contains the following text:

However in order to guarantee its keeping, you have to refresh the credit card date during 36 hours after this message receiving.

In order to create a feeling of emergency, the email also contains a warning of what would happen if the user doesn’t “print” the booking receipt:

If you do not update your credit card date, a penalty for reservation cancellation or prepayment of  126$, which is provided under the terms of booking will be imposed.

You, as a reader of this security blog, know that you should never, ever open attachments of emails, especially,  from emails that you never requested. And, if the attachment is a ZIP file and if in that file you see an executable (.exe, .pif, .scr, .com) or a known file associated with an executable (e.g.: .swf, .pdf, .jar) then you should immediately delete the email.

In this case, the executable is a Trojan detected by all Avira products as TR/Agent.23552.280.  This program downloads additional malware from various URLs and transforms you computer in a bot.

At the moment of writing this article the malicious payload is detected only by a couple of AV products (according to VirusTotal). I assume that the detection will be slowly rolled out by all products. In the meanwhile, stay safe and keep you Avira product up to date.


Sorin Mustaca

IT Security Expert


via Avira – TechBlog

© Copyright Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check for seeing the consulting services we offer.

Visit for latest security news in English
Besuchen Sie für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca
Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since over 20 years in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is CEO and owner of Endpoint Cybersecurity GmbH focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .
%d bloggers like this: