Today I received an email supposedly from American Airlines with an Zip file attachment:
If you open the zip file, you’ll see what looks like a Word document:
However if you go to Windows Explorer and uncheck “Hide extensions of known file types,” you’ll see that it is actually an executable file:
Don’t run it! That means don’t double-click on it to “open” it. It’s got to be a virus.
The scary thing is that this virus was delivered directly to my Outlook inbox. It got past Forefront security on Office 365, and my up-to-date VIPRE anti-virus does not flag it as a virus. When I submitted it to www.virustotal.com, only 1 of 42 engines currently recognized it as a virus.
As usual: if you don’t recognize the sender, or are not expecting the email, don’t open the attachment!
Update January 16 and 19, 2012: Several people have asked how to remove this virus, the main effect of which is apparently to hide (but not delete) files on your computer. Thanks to the several posters who have offered suggestions. For example, see these comments below:
- December 16, 2011 – Susan Green
- December 16, 2011 – Michael
- January 6, 2012 – Teresa
- January 16, 2012 – Shea
- January 19, 2012 – Bob
- January 19, 2012 – Mark
Use these procedures at your own risk! If you’re not comfortable with the procedures and especially if you don’t have a good backup of your files, find a professional to help.
I received this email today:
Hello
FLIGHT NUMBER AA3928
ELECTRONIC 8828759
DATE & TIME / MARCH 23, 2012, 10:33 PM
ARRIVING / New Orleans
TOTAL PRICE / 237.37USD
Your ticket is attached.
To use your ticket you should print it.
Thank you for your attention.
American Airlines.
I’ve just received this same American Airlines e-ticket and as it didn’t have a departure airport, I was suspicious and deleted it.Difficult to go on this flight if you’ve got nowhere to fly from!
The ticket was for somewhere I’d never heard of. Shame I didn’t get New York or Chicago! Then I googled it ( wrong way round really ) and found this, It’s good to know there are good guys out there giving the right advice which is, delete it! I’m so glad I did.
my wife just received similar email: zip file attached. Her “free” ticket was to Amarillo, TX?! Not too suspicious, lol.
I feel for everyone who has had problems from this.
Stay vigilant people.
Thanks for the info, OP.
Pingback: New USPS Shipment Virus Email | MCB Systems
Dear Customer,
TICKET NUMBER / 1 193 1090373421 1
SEAT / 35A/ZONE 2
DATE / TIME 22 JUNE, 2012, 10:29 PM
ARRIVING / Tampa
FORM OF PAYMENT / CC
TOTAL PRICE / 115.15 USD
REF / EK9330 ST / OK
BAG / 1PC
Your ticket is attached.
To use your ticket you should print it.
Thank you
American Airlines.
got it today for a flight tomorrow to riverside, where is riverside? since i’m poor and don’t fly, i just checked to see what the attachment was and it was a zip file so i quickly deleted it, and seleted it out of my trash box too.
Dear Customer,
TICKET / 3 303 1387394236 3
SEAT / 37A/ZONE 1
DATE / TIME 17 JUNE, 2012, 10:31 PM
TODAY JUN 10, 2012 I HAVE RECEIVED THE VIRUS WITH ATTACHMENT, SO I LIVE IN MEXICO AND NEVER BEEN IN CLEAVELAD…SO THE JACKER NEVER MIND IN THIS,….
ARRIVING / Cleveland
FORM OF PAYMENT / CC
TOTAL PRICE / 371.71 USD
REF / KE1431 ST / OK
BAG / 2PC
Your bought ticket is attached to the letter as a scan document.
To use your ticket you should print it.
Dear Customer,
FLIGHT NUMBER A59-264
DATE & TIME / JUNE 22, 2012, 10:117 PM
ARRIVING: NEW YORK JFK
TOTAL PRICE : 422.34 USD
Please download and print out your ticket here:
DOWNLOAD
Amercian Airlines{br[1-5]}
Well I got hit, stupidly got fooled. opened the attachemnt (winzip) and insidde were a folder and a adobe? read file. I clicked the read file and it just disapeared, nothing happened, i clicked the file and there were multiple sub folders with gibberish in it. I ran avg and nothing, i ran my spyware program (i believe its called spyzilla) and nothing, No folders disapearing, Ill go home and see if i can get my mallibytes program to work but i wonder if i dodged a bullet?
Jason, you could well be infected even if the programs aren’t picking it up yet. Update your anti-virus program every day and scan every day for at least a week. I use Microsoft Security Essentials for real-time protection and automatic daily scanning, and I additionally run manual scans with Malware Bytes when I am worried about an infection.
My wife ordered a plane ticket and I opened the ticket (wrong airline) and got the virus. It disables my Microsoft Security Essentials. I tried to restore to earlier version but it will not let me. I loaded my Windows 7 disc before I left for work this morning and loaded my Microsoft Security Essentials and let it do a full scan. I hope I have good news when I get home this after noon.
Jack
I updated my AVG, Stop Zilla, and loaded malawarebytes. I ran all 3. interestingly AVG didnt catch anything but stopzilla found about 4 trojans and malawarebytes found another 3. Deleted them all, reloaded windows, ran both programs again and came back clean. I waited a few days and ran again with the same results so i think I took care of it. Deffently a tricky bastard and I learned a lesson.
I got the email today.
Dear Customer,
TICKET NUMBER / 3 596 1224304576 3
SEAT / 73E/ZONE 1
DATE / TIME 28 OCTOBER, 2012, 10:59 AM
ARRIVING / New Orleans
FORM OF PAYMENT / CC
TOTAL PRICE / 337.37 USD
REF / OE7710 ST / OK
BAG / 4PC
Your ticket is attached.
To use your ticket you should print it.
Thank you for your attention.
American Airlines.
The sender was, [removed]
I didn’t open the .exe file named: AA_TICKET.ZIP
I got the email today:
Dear Customer,
E-TICKET / 3 950 1259853817 3
SEAT / 37A/ZONE 3
DATE / TIME 22 OCTOBER, 2012, 10:40 PM
ARRIVING / Yonkers
FORM OF PAYMENT / CC
TOTAL PRICE / 355.55 USD
REF / EF4440 ST / OK
BAG / 3PC
Please find your ticket attached.
To use your ticket you should print it.
Thank you
American Airlines.
I received this today, it bypassed all my security. It just seemed to strange to open it, googled AA email spam and found this confirmation, thanks!
Dear Customer,
TICKET / 1 666 1313956328 1
SEAT / 49F/ZONE 2
DATE / TIME 26, DECEMBER, 2012, 10:26 PM
ARRIVING / Lexington
FORM OF PAYMENT / CC
TOTAL PRICE / 184.84 USD
REF / OE9006 ST / OK
BAG / 5PC
Your ticket is attached.
To use your ticket you should print it.
Thank you
American Airlines.
Got this today. Knew it was fishy, in particular when the date of flight has already passed.
It’s Nov. 10, 2012 today and the info states June 24, 2012. Had to google it to make sure.
Thanks!
To open archive pleace use this password: AATicket Dear Customer,
TICKET / 2 298 1044938503 2
SEAT / 10A/ZONE 2
DATE / TIME 24 JUNE, 2012, 10:32 AM
ARRIVING / Colorado Springs
FORM OF PAYMENT / CC
TOTAL PRICE / 262.62 USD
REF / KE4854 ST / OK
BAG / 5PC
Your bought ticket is attached.
You can print your ticket.
To open archive please use this password: ticket6
Recieved an email from American Airlines yesterday and one from United today, both saying my eticket was attached. Luckily it went to my spam account and I did not open it. My husband checked all our credit card and checking accounts on another computer to make sure they had not been charged by somebody else. These even had the Norton check mark on them so you would think they had been scanned and approved by Norton.
This is still making the rounds as my spouse received one pretending to be an Air Canada source. Because we travel with them quite a bit I noticed a couple of inconsistencies from their normal confirmation emails. Interesting though, to add legitimacy to the whole thing the link to Air Canada’s Contact Us actually does take you to the legit page. Anyway, I’ve pasted the text of the email below for information.
ReplyTo: [email protected]
Subject: Your Order #38810882 – PROCESSED
Dear client,
Your order has been successfully processed and your credit card has been charged.
E-TICKET # QB38810882CA
FLIGHT # 479018
DATE & TIME / JUL 19th, 2014, 14:30
DEPARTING / Toronto
TOTAL PRICE / 895.00 CAD
The ticket and the payment confirmation invoice can be viewed online :
Link removed
To download an electronic copy of the documents, for your own records, visit :
Link removed
For more information regarding your order, contact us by visiting : http://www.aircanada.com/en/customercare/index.html
Thank you for choosing Air Canada
Pingback: 10 lessons learned when recovering from a Windows virus « Chris Beck