Today I received an email supposedly from American Airlines with an Zip file attachment:
If you open the zip file, you’ll see what looks like a Word document:
However if you go to Windows Explorer and uncheck “Hide extensions of known file types,” you’ll see that it is actually an executable file:
Don’t run it! That means don’t double-click on it to “open” it. It’s got to be a virus.
The scary thing is that this virus was delivered directly to my Outlook inbox. It got past Forefront security on Office 365, and my up-to-date VIPRE anti-virus does not flag it as a virus. When I submitted it to www.virustotal.com, only 1 of 42 engines currently recognized it as a virus.
As usual: if you don’t recognize the sender, or are not expecting the email, don’t open the attachment!
Update January 16 and 19, 2012: Several people have asked how to remove this virus, the main effect of which is apparently to hide (but not delete) files on your computer. Thanks to the several posters who have offered suggestions. For example, see these comments below:
- December 16, 2011 – Susan Green
- December 16, 2011 – Michael
- January 6, 2012 – Teresa
- January 16, 2012 – Shea
- January 19, 2012 – Bob
- January 19, 2012 – Mark
Use these procedures at your own risk! If you’re not comfortable with the procedures and especially if you don’t have a good backup of your files, find a professional to help.
wish id seen this page before now….i opened it up on saturday and my ticket was to Detroit-in hindsight it was stupid but i genuinely thought someone had used my card ….. cue everything wiped off my pc andf a nice £60 bill to restore and repair-fine now but im so angry and annoyed that there are some people sad enough to get off on this sort of thing!
I also just received it. I decided to check out first but like some of you I thought at first someone had gotten to my cc…..However, I do not recall receiving real confirmation letters sounding like this one:
Hello
FLIGHT NUMBER AB871
ELECTRONIC 524891814
DATE & TIME / JANUARY 18, 2012, 10:33 PM
ARRIVING / Oxnard
TOTAL PRICE / 178.12 USD
Please find your ticket attached.
To use your ticket you should print it.
Thank you for using our airline company services.
American Airlines
This is such a shame some people find joy in ruinig somebody elses work.
Hopefully it will not be making any more harm.
I received this email, destination Chicago, in my AOL email. Fortunately, my husband was sitting in the room at the time. I actually downloaded the .zip file and started to extract when something just felt wrong. I told my husband and he asked me to forward it to him and today he found this post. I also checked my bank account to see if there had been any charge there, but none. It was odd for it to come to my AOL account, because literally NOTHING that I use is attached to that account. I also found the language “a scan document” rather than “a scanned document” strange. Thanks for the info. I’m really glad I stopped the extraction when I did!
I opened this before reading these posts. Does anyone know if this virus can affect a MAC Book Pro?
Chris, I’d be surprised if this affects Macs. Let us know if you find differently!
To get ur data back you need a program from bleeping computers called unhide , I am a computer tech and have expire emceed many people with same issues. Email me of new further assistance.
Got this same email today with the destination to california. Must be going around!
Thanks for these postings…
I knew I hadn’t bought this plane ticket and thought it was a mistake…
Thought it was the odd the email began with the greeting “hello”
Glad I didn’t open the file!
It’s doubly weird that I am actually getting on an airplane tomorrow!
I received that email this evening but for some reason there was no attachment or links.
Dad opened this, took his drive out and put in another machine and ran malwarebytes then put it back in his computer. Found a bunch, but not all XP functions work on his drive. All the data is there, which is good. When trying to boot to safe mode it opens a window for Vista OS and then just boots normal and doesn’t give any “Safe Mode” options. Any idea how to fix the XP OS without a format?
Chris, not sure why Vista would come up if you have XP. Maybe your BIOS is set to “Fast Boot” so you’re not getting the chance to get in with the F8 key. There are a couple procedures in the comments above, e.g. using System Restore, that may not require Safe Mode.
I am contacting you from my Xp as my Vaio Vista is crashed. I was flying to NYC on American so I clicked on the e-mail. I saw the “.exe” too late and had already clicked the zip file. My Sony Vaio w Vista os began faultering and shutdown.
I cannot get F8 to work so no safe mode.
The only success i have is F2/Bios settings or F10/ Vaio recovery center.
I really don’t want to lose all my files, my husband has passed away and I have his photos + files I haven’t backed up that I dearly want to keep.
I used the Vaio rescue Data button to backup to a hard drv but i’m afraid to connect it to another computer for fear it will infect it. I don’t know if it actually worked in backing up files.
When I tried using the restore point in Vaio recovery center I had an error msg of “no os detected” so it could not access windows to do a restore. Do I have any other options for accessing the info on my HD? I’m hoping it is still there + I can find a way to get in + change the attributes but how? How could I make a rescue cd (no os detected)? Any step by step instructions would be greatly appreciated!!!!
Thank you
Ina, there are a couple step-by-step procedures in the comments above but if you cannot get F8 to work, or if you are not comfortable with virus recovery in general, I would recommend taking your infected machine to a reputable local professional.
I did buy ($10.) a vista recovery disc online and I used it to boot but it couldn’t see windows vista even thought I could use it to see some of my files.
It was very limited in it’s tools.
I’m wondering if I could use it to make another cd w “unhide” on it.
I can go to the command prompt w this cd. Can I use the same old dos commands to move around in the files? change the attributes etc?
Ina, I would think that you would have access to the DIR command. Not sure if it supports the /ah switch to show hidden files, or whether you also have the ATTRIB command for removing the hidden flag.
Some colleagues have recommended Hiren Boot CD (http://www.hiren.info/pages/bootcd). I have used Ultimate Boot CD (http://www.ultimatebootcd.com/), Either one should give you a graphical file explorer that would let you look at hard disk contents. Not sure about unhide utilities but these are pretty comprehensive utility CDs so probably unhide is available.
Thanks for posting this article. I was tempted to open this email thinking someone stole my visa number. It did go into my hotmail junk file.
I got this this at about 7:40 this morning.
Hello
FLIGHT NUMBER AA551
ELECTRONIC 770448823
DATE & TIME / JANUARY 13, 2012, 10:53 PM
ARRIVING / Chattanooga
TOTAL PRICE / 214.23 USD
Your bought ticket is attached to the letter as a scan document.
You can print your ticket.
Thank you for using our airline company services.
American Airlines.
——————————————————————————–
No virus found in this message.
Checked by AVG – http://www.avg.com
Version: 2012.0.1901 / Virus Database: 2109/4707 – Release Date: 12/27/11
I got the email today and thought my wife made flight arrangements for her upcoming trip. Lucky i opened it on my mac so far nothing has happen. But i also opened in my phone hopefully nothing is effected and it stays that way
Got this today–saw it come up on my iPhone as I rarely if ever go out to AOL to read my mail. Figured it was a virus and came out here, so I forwarded it to AOL’s spam team and deleted it. Whew.
I got this email to my AOL account which I rarely use and like other people I thought either its a virus or someone got a hold of my cc. The wording didn’t sound right which made me think it was probably a virus but out of curiosity I went ahead and opened it on my Android phone. So far nothing has happened. I quickly deleted all the files from my phone anyway.
I just got this email in my yahoo account – yahoo caught it as spam – glad I checked here first. Not to mention I have no plans on traveling soon or on AA….
Just received this email this morning into my business email, and knew instantaneously it was a virus or password fisher. I travel a few times a month, but I never on American Airlines. The improper grammar was also a huge tip-off.
My partner opened this same email last evening, AND the attached zip file.
It immediately began scanning our system, files appearing on screen one after another, appearing to be a WINDOWS anti-virus scan. We use McAfee, not WINDOWS for security, so
I attempted to close this new screen and run a scan with McAfee. It worked well, up to 97%, then shut down and the virus screen reappeared.
I immediately unplugged the computer and disconnected it from the intranet. I used my laptop to do research on a cure for this virus. I discovered a company offering assistance – TeeSupport.com – online at 10pm at night – live support. It cost me $69. to have them “takeover” (online) my computer and manually delete the virus.
I spent the money – as of now, it appears we’ve lost nothing and everything is back to normal.
Another lesson reminded – never open an attached file that you don’t recognize. (grrrr)
I hope law enforcement catches the little jerks.
First off thank you so much for your coverage of the Airline Virus Emails that have been going around, it has been a big help.
Yesterday, my wife opened one of these emails and the attached zip file on her Droid-based Tmobile Samsung Galaxy S ,w/ the Gmail App, not realizing what it was was.
Is her phone at risk? I am not sure anything was installed. I have heard that the .exe cannot be read by Driod but I also not sure if the .zip had a .exe or something else. in it as she deleted the email after openeing it.
I have run scan the phone with some of the free Anti-Virus Apps(Lookout and AVG) from the Market place and that reported no issues.
I have thought about connecting her phone to my HP laptop with Symantec Endpoint Protection to run an additional virus scan but I am concerned that I may infect my laptop if I mount the phone via USB. Should I be concerned about tranferring a virus to my laptop if it is infact on her phone?
Thank you.
Mike, I’m no Android expert but I doubt a Windows .exe could run there, and so far no one above has reported otherwise. Just connecting your laptop probably wouldn’t matter, but if you went so far as to copy the .exe and execute it, you could infect your laptop. I’d just delete the mail and any saved downloads, and thank goodness you didn’t get infected!
Dear Customer,
FLIGHT NUMBER A627
ELECTRONIC 859595824
DATE & TIME / JANUARY 29, 2012, 11:44 PM
ARRIVING / Montgomery
TOTAL PRICE / 275.23 USD
Please find your ticket attached.
To use your ticket you should print it.
Thank you for using our airline company services.
American Airlines.
This is the email I got. Could only be a virus. If I booked a flight, it would have my name and a city I would travel to
I got the same thing! Here is what I got:
Hello
FLIGHT NUMBER AB871
ELECTRONIC 386425646
DATE & TIME / JANUARY 26, 2012, 10:22 PM
ARRIVING / Tucson
TOTAL PRICE / 192.54 USD
Your bought ticket is attached to the letter as a scan document.
You can print your ticket.
Thank you
American Airlines.
I got one of these today too and didn’t fall for it
Don’t You Either…………………….
Dear Customer,
FLIGHT NUMBER A627
ELECTRONIC 378860473
DATE & TIME / JANUARY 31, 2012, 10:33 PM
ARRIVING / KnoxvilleFort
TOTAL PRICE / 111.12 USD
Please find your ticket attached.
To use your ticket you should print it.
Thank you for using our airline company services.
American Airlines
New Airline Ticket Virus Email. Thank you Mark Berry for your kindness in posting the warning regarding this virus email. I just received the email today. I recently stupidly put my real name, address, and email on a web site and thought that the “American Airlines” email was a result of that error.
Just received this today and as I travel often, I opened the file on my HTC Evo Droid phone while I was out, and preoccupied:
Dear Customer,
FLIGHT NUMBER A745
ELECTRONIC 780536635
DATE & TIME / JANUARY 13, 2012, 10:33 AM
ARRIVING / St. LouisTampa
TOTAL PRICE / 199.12 USD
Please find your ticket attached.
To use your ticket you should print it.
Thank you
American Airlines.
I have looked thru my phone/SD card and can’t recognize if there was a file downloaded. When I clicked on the attachment again on the phone/email it asked “would you like to replace the existing ‘ticket doc’?” When I go thru all of the files tho, I don’t see anything called “ticket doc”.
I downloaded Lookout virus scanner from the Droid Market and the phone comes up clean – but is this accurate? How can I find the file? I’m totally freaked out that my phone is infected and all of my info is being drained as I type this..
HELP!!! :(
I hear it was distributed through AOL email.
Here’s what I removes (so far)
zbot trojan virus: detected by AVG free (froze when trying to isolate) Ran a special program from AVG (rmzbot)
STOPzilla found: (2) inter2000, (1) GASF file (liia.sys) and (29) Registry Key entries
Reinstalled a AVG, ran, deteced and removed: Generic_r.IO, (gmect.f) Win32/Kryptik.YGY (SIL.EXE), Artemis!3115F56C61CA (9B20.tmp), TR/Crypt.XPACK.Gen (B3E0.TMP), Artemis!3115F56C61CA (A59C.TMP)
All has been quite now for a day or so. Hope it’s gone!
But how do I find it and remove it from my phone? I cant find any zip files on sd card, or elsewhere :(
NWC, please review my 12/30 comment re. Android.
Just received one today – thank you for documenting the virus – saved me a great deal of time and expense.
Dear Customer,
FLIGHT NUMBER A714BN
ELECTRONIC 669723510
DATE & TIME / JANUARY 25, 2012, 10:53 PM
ARRIVING / Sacramento
TOTAL PRICE / 189.11 USD
Your bought ticket is attached to the letter as a scan document.
To use your ticket you should print it.
Thank you for your attention.
American Airlines.
Got this today.
Hello
FLIGHT NUMBER AA112
ELECTRONIC 935047405
DATE & TIME / JANUARY 13, 2012, 10:22 AM
ARRIVING / KnoxvilleFort
TOTAL PRICE / 125.22 USD
Your bought ticket is attached to the letter as a scan document.
To use your ticket you should print it.
Thank you
American Airlines.
Just had one show up at 11:12am
Hello
FLIGHT NUMBER A627
ELECTRONIC 320508329
DATE & TIME / JANUARY 30, 2012, 11:44 AM
ARRIVING / Oxnard
TOTAL PRICE / 189.11 USD
Please find your ticket attached.
You can print your ticket.
Thank you for your attention.
American Airlines.
Thanks for sharing – I thought it looked like a virus, thankfully it went to my hotmail spam so I was instantly suspicious!
I got one of these today and another a couple weeks ago. First I was going to NYC and then I was going to Grand Rapids. I just want these fools to know I’m not as much of an idiot as they think I am!!!
Thank you for the posts. I thought someone had gotten My CC card and info and was planning on doing some traveling. Glad I googeld it first.
I received two of these today. It was a close call for me to open it because I AM flying AA in a few days and made a change yesterday. The first clue was that it went to my spam account, the second was it looked NOTHING like the other emails from AA. Glad to find my gut instinct was correct.
Got one today too! I do NOT fly, so this was a curious inbox find to say the least. Perhaps I am still oversensitive, but to see a fake flight #A911, knowing American Airlines flight 11 was one of the 9/11 casualties, is pretty freakin’ crappy IMO.
Your Order#517599993
American Airlines [email protected]
Dear Customer,
FLIGHT NUMBER A911
ELECTRONIC 641467651
DATE & TIME / JANUARY 27, 2012, 11:44 PM
ARRIVING / Aurora
TOTAL PRICE / 189.15 USD
Please find your ticket attached.
To use your ticket you should print it.
Thank you
American Airlines.
I received one today sending me to Amarillo… as a Texan, I can say that I would never purposely choose to fly there!
FLIGHT NUMBER AA534
ELECTRONIC 747841554
DATE & TIME / JANUARY 13, 2012, 10:33 AM
ARRIVING / Amarillo
TOTAL PRICE / 257.58 USD
I received the email on my phone. Since I haven’t made any arrangements to fly, I did not open. I checked the AA website to check if the flight number existed. It didn’t. I was also afraid that someone booked using my credit card. Then on to Google where I found all you great people posting the same thing. Thank you for sharing. I immediately deleted it.
Never open an e-mail you dont trust. The American Airlines ticket virus just got me. What was I thinking. I had to restart my computer in safe mode to try a system restore. I think it worked. Good luck. Why aren’t the FBI going after these thieves. Follow the money and bust them. Its attempted theft. They infect your computer then offer to sell you the problem fix. Follow the money and bust there ass. Prison time is what these jerks should get, not our cash.
I received this email on Jan 2, flying to Chicago! Flight A911. Thought it suspicious so first checked all my credit cards for the amount posted for the cost. Then googled the flight #. BTW…who wants to go to Chicago in Jan? GEEZ…at least pick Florida!!! LOL.
Thanks for the heads-up!
when you get a free ticket in the mail which dont even tell you what city you are leaving from and then look at t AA website to see there is no such flight number and NEVER EVER open a ZIP file from someone you don’t know
Just received one with arrival to Plano ?? flight A864 through AOL account. Almost got me because I do have a flight booked with American Airlines to another destination and didn’t read it carefully, but thankfully my AVG caught it as a Trojan horse virus before I could open it . Checked online and found all the warnings, will never do that again before reading it thoroughly first !!
Got one like this today and was immediately suspicious, did not open the attachment, and marked it as spam. I realized that had I actually recently made some kind of travel plan, I might have been duped into opening this. So obnoxious.
Here’s what I did to restore his PC:
Closed all open windows
Reboot in safe mode with networking
Because we couldn’t see IE – in search – put in Run and then iexplore.exe
Went to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and downloaded combofix – print all instructions first.
Ran combofix – after it was done the icons returned to the desktop
Went to: http://www.bleepingcomputer.com/virus-removal/remove-system-fix
Started with #7 and Downloaded malwarebites and ran it – found 3 items
Continued with #19 to unhide the icons
Rebooted as normal and PC was back to pre-virus state.
Yeah…I wasn’t so smart and opened it, luckily my security suite caught it and quarentined it -_- that’s a scary one though, because it seemed pretty real.
Just got a new version of this virus:
Dear Customer,
FLIGHT NUMBER A714BN
ELECTRONIC 712573989
DATE & TIME / JANUARY 17, 2012, 10:22 AM
ARRIVING / Miami
TOTAL PRICE / 157.17 USD
Your bought ticket is attached to the letter as a scan document.
You can print your ticket.
Thank you for your attention.
American Airlines.