Today I received an email supposedly from American Airlines with an Zip file attachment:
If you open the zip file, you’ll see what looks like a Word document:
However if you go to Windows Explorer and uncheck “Hide extensions of known file types,” you’ll see that it is actually an executable file:
Don’t run it! That means don’t double-click on it to “open” it. It’s got to be a virus.
The scary thing is that this virus was delivered directly to my Outlook inbox. It got past Forefront security on Office 365, and my up-to-date VIPRE anti-virus does not flag it as a virus. When I submitted it to www.virustotal.com, only 1 of 42 engines currently recognized it as a virus.
As usual: if you don’t recognize the sender, or are not expecting the email, don’t open the attachment!
Update January 16 and 19, 2012: Several people have asked how to remove this virus, the main effect of which is apparently to hide (but not delete) files on your computer. Thanks to the several posters who have offered suggestions. For example, see these comments below:
- December 16, 2011 – Susan Green
- December 16, 2011 – Michael
- January 6, 2012 – Teresa
- January 16, 2012 – Shea
- January 19, 2012 – Bob
- January 19, 2012 – Mark
Use these procedures at your own risk! If you’re not comfortable with the procedures and especially if you don’t have a good backup of your files, find a professional to help.
Thank you very much for posting this! I really appreciate it – it saved me from being caught with it.
Very good post!! Just had the email myself, only flying to New York JFK this time. The date was also the 9th of december. Again, thanks very much!!
I just recieved a simuliar email, luckily I decided to have a look on Google before opening it!
I also received one of these today. The attachment was disguised as a PDF. I actually double-clicked it (after it passed anti-virus scan), then realised what I’d done, and so I quickly crashed the computer to prevent it unpacking. No ill effects so far, but a close call. In my case, it got past BitDefender, even when I scanned the zip file.
I hate these people.
I just got the same thing…
Notification,
FLIGHT NUMBER A781BN
ELECTRONIC 763738965
DATE & TIME / DECEMBER 08, 2011, 11:53 PM
ARRIVING / NEW YORK JFK
TOTAL PRICE / 411.12 USD
Please find your ticket attached.
To use your ticket you should print it.
Thank you
American Airlines.
With a zip attachment. I agree it has to be a virus.
Interesting… Gmail quarantined it…
The message “Your Order##226836253” from American Airlines ([email protected]) contained a virus or a suspicious attachment. It was therefore not fetched from your account and has been left on the server.
If you wish to write to American, just click reply and send American a message.
Thank you,
The Gmail Team
By now the anti-virus engines should be trapping the one that started November 3. However I received a new variant, also bypassing multiple checks, about ten days ago. Stay vigilant!
Hi I got the same e-mail in my junk box today, thanks for posting comments. Its good to see whats out there
June
Message Body
Cheers for this, thought it would be a virus but always nice to know for sure :o)
Also just got one…… Shame its a virus as could really do with a holiday
Notification,
FLIGHT NUMBER A781BN
ELECTRONIC 557662963
DATE & TIME / DECEMBER 14, 2011, 10:45 PM
ARRIVING / NEW YORK JFK
TOTAL PRICE / 258.23 USD
Your bought ticket is attached to the letter as a scan document.
To use your ticket you should print it.
Thank you for using our airline company services.
American Airlines.
Anyone have any suggestions on how to clean it once it has been opened and therefore infected the machine?
I also rec’d this today 6th Dec but thought I would check it out before I opened it. So thanks to everyone who has posted this info.
Notice,
FLIGHT NUMBER AA984
ELECTRONIC 600619277
DATE & TIME / DECEMBER 16, 2011, 10:45 PM
ARRIVING / NEW YORK JFK
TOTAL PRICE / 321.56 USD
Your bought ticket is attached to the letter as a scan document.
To use your ticket you should print it.
Got this today as i never book american airlines and was no departing airport i scanned it with mcaffe and nothing found so i and a little look and saw it was a exe file so decided to check online 1st as was wary and found this page arrived in my aol email box that is meant to be protected by aol and mcaffe
It got through my aol account 2 y would someone
Open a flight email when they havnt booked one?
Does anyone have any ideas in how to sort things- I opened the file by mistake-or is it a lost cause – many thanks
I got this today. And because I work with travel all the time (and have an outstanding JFK flight) and was in a hurry, I stupidly opened it. IT ERASED EVERYTHING ON MY COMPUTER excect AOL and my wallpaper.
I know this was stupid – have a MAC and never got a file like this so far. S I tried to open (and could not because it was a doxcs file and left it). Will something happen. How can I check?
i don’t know if anyone knows how to obtain a more definative location
IP of sender of e-mail virus is 142.166.86.98
located in Fredericton, New Brunswick, CANADA
I just recieved one as well. I’ve got Avast! free virus scan and mine did see it as a dangerous file.
Thanks for the posts made me sure not to open it :)
I just got this myself as well in my outbox via Hotmail
=========================================================================
Notification,
FLIGHT NUMBER AA983
ELECTRONIC 744412175
DATE & TIME / DECEMBER 14, 2011, 10:45 PM
ARRIVING / NEW YORK JFK
TOTAL PRICE / 283.30 USD
Your bought ticket is attached to the letter as a scan document.
To use your ticket you should print it.
Thank you
American Airlines.
=========================================================================
Thanks so much for all the posts – I was just about the click it open thinking one of my staff team had been using the credit card but thought I better check.
Thanks saved me too
My girlfirned has just opened this email too. She has lost all of her university work from the last two years. No back up. A tech guy is trying to restore it at the moment. Has anyone who opened the file managed to get their info back?
She has just got back from NY on holiday so why wouldnt she open the file!?
Gutted.
I just opened this. It got through my aol account, and I opened it because my mom doesn’t use her email and when she buys tickets and stuff she uses my account. My anti-virus didn’t catch it. I opened it. Everything I had was erased. I am trying to see if any techs can restore it. Anyone have any luck?
Good job I thought to have a look on google before opening the email in my junk folder!! I thought that somebody had got my credit card and was having a good time at my expense.
Email was as below.
Notification,
FLIGHT NUMBER 980
ELECTRONIC 753197060
DATE & TIME / DECEMBER 13, 2011, 12:54 PM
ARRIVING / NEW YORK JFK
TOTAL PRICE / 214.34 USD
Your bought ticket is attached to the letter as a scan document.
You can print your ticket.
Thank you for using our airline company services.
American Airlines.
THANKS EVERY ONE FOR POSTING!!
I received this right now and luckily googled first. I’m going to NY in februari so they almost fooled me.
Notice,
FLIGHT NUMBER A781BN
ELECTRONIC 363169492
DATE & TIME / DECEMBER 12, 2011, 11:53 PM
ARRIVING / NEW YORK JFK
TOTAL PRICE / 367.45 USD
Your bought ticket is attached to the letter as a scan document.
To use your ticket you should print it.
Thank you for using our airline company services.
American Airlines.
Got the same notice but made the mistake of opening it in a PDF. it crashed the PC. Rebooted in Safe Mode and was able to restore to an earlier date. Got my files back but have some small issues to resolve. a lot of time and frustration over this. So far so good
came through as spam on aol but knew not to open good to see people helping :)
American Airlines do not fly from my local airport and it has been over twenty years since I have needed to visit any part of the USA, let alone JFK so I knew that it was some sort of spam anyway and just deleted it. Clearly whoever sent it had not targeted the recipicants very well. My concern though was that it went through three levels of security to go directly into my inbox. Any ideas who is responsible and what we can do about it?
Wish I had easy answers for those that got the virus. Sometimes Safe Mode helps, in combination with a good scanner like Malwarebytes. More advanced options include booting from CD to run anti-virus programs. Often your only recourse is to wipe the disk and re-install everything. As long as you have backups, that’s not catastrophic; a good image-based backup can quickly take you back a day or two. I blogged briefly about backups.
It is disturbing that these things are getting past anti-virus scanners so frequently, but there are so many new viruses every day that there will always be some that get through. If you want to see how many scanners recognize the variant that you received, you can upload a copy of the file to http://www.virustotal.com. Do this at your own risk–you have to save it to your computer without opening it in order to be able to upload it.
It is still circulatiing with later dates. Thanks for the info….Fortunately,I didn’t open it. Thanks again!
Dear Customer,
FLIGHT NUMBER AA984
ELECTRONIC 064249717
DATE & TIME / DECEMBER 23, 2011, 10:43 PM
ARRIVING / NEW YORK JFK
TOTAL PRICE / 366.45 USD
Please find your ticket attached.
To use your ticket you should print it.
Thank you for using our airline company services.
American Airlines.
Whole computer crashed. All the files disappeared one after the other as soon as I clicked on the ticket sign (PDF format). I feel so sorry for opening that file. I lost all my new baby’s pictures. We didn’t even have a chance back them up. Sick people.
Mb, sorry to hear that. You’re maybe the third comment reporting deleted files. I’ve heard of viruses that hold files for “ransom” until you pay them, but no one has mentioned that here. Consider taking the computer to a pro; maybe there is a way to salvage/undelete the files. Let us know if you find out.
Just recived email mine was to FORT WORTH lucky I did a check around first to see if it was a virus brfore i tried to open it
I received the email too. Mine said it was for Chicago on Dec 22. I knew I hadn’t purchased a ticket so I used trusty ol’ google and found this page! Thanks for posting!
Recieved this but didn’t notice it right away – we live in England and were in bed when it was sent. Also thought it was interesting that mine says the zip file has 0k – so it is empty – I asume. Maybe the virus checkers are now alert to the scam. I googled the flight number and it did not equate with the same destination listed in he email. Thought originally my husband might have bought a ticket for someon in my family to come for a visit, however all my family are on the West Coast. None of the information regarding the flight is correct. So glad I found this site or I might still be wondering.
American Airlines [email protected]
12:27 AM (16 hours ago)
to me
Hello
FLIGHT NUMBER AA634
ELECTRONIC 791699218
DATE & TIME / DECEMBER 23, 2011, 10:43 PM
ARRIVING / Charlotte
TOTAL PRICE / 182.32 USD
Your bought ticket is attached to the letter as a scan document.
You can print your ticket.
Thank you for your attention.
American Airlines.
Ticket.zip
0K View Download
I just looked back over some of the messages and found this interesting:
“Thank you for using our airline company services.”
“Your bought ticket is attached to the letter as a scan document.
You can print your ticket.
Thank you for your attention.”
Strange sounding wording – your bought ticket – wouldn’t an American company say purchased? And “our airline company servics” doesn’t sound right either. Just a thought.
And thank you for your attention – who would say that in America?
Just had this email sent to me for a flight to Jacksonville, but it was flagged by google chrome as a virus.
Eva, “quite right” as the British would say: poor grammar or spelling and odd phrasing are often a clue that the email is not legitimate.
Your 0K attachment may indicate that an anti-virus program (either on your computer or on the email server) cleaned the virus before it got to your Inbox.
I received this attachment in my gmail inbox. I didn’t download but previewed it. Should it harm my pc?
i got the same male, i opened it while i was in conversation with a colleage didnt notice it, man my computer is gone! it deleted everything, hard disk is not functioning.
Your files & folders aren’t missing, just hidden. In Windows Explorer, navigate to Folder Options, click the View tab and select Show hidden files and folders. It’s going to take some work but all is not lost. Don’t ask me how I know. :(
Just had one crop up at work. Our mail server failed to notice it, but when I attempted to forward it home, gmail bounced it back.
Just got one too – into my outlook mailbox. Glad I researched it before opening the ticket! Thanks for the great info.
Here’s what I got:
Dear Customer,
FLIGHT NUMBER AA711
ELECTRONIC 966501410
DATE & TIME / DECEMBER 24, 2011, 10:43 PM
ARRIVING / San Diego
TOTAL PRICE / 181.30 USD
Please find your ticket attached.
You can print your ticket.
Thank you for using our airline company services.
American Airlines.
Just helped a co-worker with this. It appeared he lost everything but it was all hidden…
Here’s what I did to restore his PC:
Closed all open windows
Reboot in safe mode with networking
Because we couldn’t see IE – in search – put in Run and then iexplore.exe
Went to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and downloaded combofix – print all instructions first.
Ran combofix – after it was done the icons returned to the desktop
Went to: http://www.bleepingcomputer.com/virus-removal/remove-system-fix
Started with #7 and Downloaded malwarebites and ran it – found 3 items
Continued with #19 to unhide the icons
Rebooted as normal and PC was back to pre-virus state.
Good luck!
Having embarrassed myself (especially having worked for a famous OS software company), I fell for this one bad and by the time I realized it was a .exe file and not a pdf, the damage was done. However, I was able to completely fix the problem by doing the following (and assuming those who where infected have the same condition with your OS). Note I have a Windows Vista OS on my computer.
1. Click on lower left corner Windows icon.
2. Click on All Programs (that was the only option that was showing in this Window after the attack).
3. Click on Default Programs
4. The header file will now show Default Programs>
5. Click on Control Panel in the file name and that should come up.
6. If it does and you’re in Classic View, click on Backup and Restore C. If on default home view, select System and Maintenance. Follow instructions from there to restore your system to a previous date/time from the attack (if you’re able to). Fortunately I was.
7. OS should reset everything back to status quo before the attack – at least mine did.
Again as stated by others, you have not lost your files or programs with this viscous attack, just the access to them.
I hope this helps and good luck.
Thanks Susan and Michael for sharing your remediation procedures.
I got another one of these today, except this time instead of an attachment, it had a link to “Download your ticket here.” I started up an isolated virtual machine and opened the link. It linked to a site with an .ru domain (Russia), which started downloaded a rather long Javascript. I got tired of waiting for it to do anything so I closed the virtual machine, deleting the changes.
Bottom line: watch out for variants: PDF instead of DOC attachments, or just a link with no attachment.
I also received this today … I figured it was either a virus, or someone got my CC number & info and booked something … glad I googled before anything else … I also NEVER trust ANYthing sent to “Customer” … .
Dear Customer,
FLIGHT NUMBER AA711
ELECTRONIC 565963602
DATE & TIME / DECEMBER 20, 2011, 12:53 PM
ARRIVING / Jacksonville
TOTAL PRICE / 312.12 USD
Your bought ticket is attached to the letter as a scan document.
You can print your ticket.
Thank you
American Airlines.
My father just opened this email up and his PC crashed and everything was erased. I was able fix the problem in the following manner: (I just did this two minutes ago and as of now everything appears to be normal again)
1) Shut down the computer as soon as possible to avoid any further damage.
2) Reboot the computer in safe mode. (this is done on Windows by tapping the F8 button when you turn on the computer, if you get to the windows logo it’s too late. Restart the computer and try again.)
3) Open the computer in Safe Mode with networking.
4) Go to the Control Panel and perform a system restore. (this will restore your computer to an earlier date, specifically one before you opened the virus.)
Anything you did after the system restore obviously won’t be available, but this is a small price to pay to get your computer back.
i just received a similar email…i got it on my phone and there was no attachment to open on my phone. I checked my bank account just incase it was fraud done on my account. its sad to say that has happened to me before and they stole more than $1100 out of my bank account =(