New Airline Ticket Virus Email

Mark Berry November 3, 2011

Today I received an email supposedly from American Airlines with an Zip file attachment:

American Airlines ticket virus 1

If you open the zip file, you’ll see what looks like a Word document:

American Airlines ticket virus 2

However if you go to Windows Explorer and uncheck “Hide extensions of known file types,” you’ll see that it is actually an executable file:

American Airlines ticket virus 3

Don’t run it! That means don’t double-click on it to “open” it. It’s got to be a virus.

The scary thing is that this virus was delivered directly to my Outlook inbox. It got past Forefront security on Office 365, and my up-to-date VIPRE anti-virus does not flag it as a virus. When I submitted it to www.virustotal.com, only 1 of 42 engines currently recognized it as a virus.

As usual:  if you don’t recognize the sender, or are not expecting the email, don’t open the attachment!

Update January 16 and 19, 2012:  Several people have asked how to remove this virus, the main effect of which is apparently to hide (but not delete) files on your computer. Thanks to the several posters who have offered suggestions. For example, see these comments below:

  • December 16, 2011 – Susan Green
  • December 16, 2011 – Michael
  • January 6, 2012 – Teresa
  • January 16, 2012 – Shea
  • January 19, 2012 – Bob
  • January 19, 2012 – Mark

Use these procedures at your own risk! If you’re not comfortable with the procedures and especially if you don’t have a good backup of your files, find a professional to help.



219 Comments

  1. monica   |  March 19, 2012 at 1:24 am

    I received this email today:

    Hello

    FLIGHT NUMBER AA3928
    ELECTRONIC 8828759
    DATE & TIME / MARCH 23, 2012, 10:33 PM
    ARRIVING / New Orleans
    TOTAL PRICE / 237.37USD

    Your ticket is attached.
    To use your ticket you should print it.

    Thank you for your attention.
    American Airlines.

  2. Lorraine   |  March 22, 2012 at 4:06 pm

    I’ve just received this same American Airlines e-ticket and as it didn’t have a departure airport, I was suspicious and deleted it.Difficult to go on this flight if you’ve got nowhere to fly from!
    The ticket was for somewhere I’d never heard of. Shame I didn’t get New York or Chicago! Then I googled it ( wrong way round really ) and found this, It’s good to know there are good guys out there giving the right advice which is, delete it! I’m so glad I did.

  3. gregg   |  March 30, 2012 at 11:48 am

    my wife just received similar email: zip file attached. Her “free” ticket was to Amarillo, TX?! Not too suspicious, lol.
    I feel for everyone who has had problems from this.
    Stay vigilant people.
    Thanks for the info, OP.

  4. New USPS Shipment Virus Email | MCB Systems   |  April 19, 2012 at 1:00 pm

    […] a new variation on the airline ticket virus email that I reported on last November. An email supposedly from the United States Postal Service says […]

  5. Caroline   |  June 09, 2012 at 7:58 pm

    Dear Customer,

    TICKET NUMBER / 1 193 1090373421 1
    SEAT / 35A/ZONE 2
    DATE / TIME 22 JUNE, 2012, 10:29 PM
    ARRIVING / Tampa
    FORM OF PAYMENT / CC
    TOTAL PRICE / 115.15 USD
    REF / EK9330 ST / OK
    BAG / 1PC

    Your ticket is attached.
    To use your ticket you should print it.

    Thank you
    American Airlines.

  6. eric   |  June 10, 2012 at 4:27 am

    got it today for a flight tomorrow to riverside, where is riverside? since i’m poor and don’t fly, i just checked to see what the attachment was and it was a zip file so i quickly deleted it, and seleted it out of my trash box too.

  7. ARMANDO DIAZ   |  June 10, 2012 at 8:58 am

    Dear Customer,

    TICKET / 3 303 1387394236 3
    SEAT / 37A/ZONE 1
    DATE / TIME 17 JUNE, 2012, 10:31 PM
    TODAY JUN 10, 2012 I HAVE RECEIVED THE VIRUS WITH ATTACHMENT, SO I LIVE IN MEXICO AND NEVER BEEN IN CLEAVELAD…SO THE JACKER NEVER MIND IN THIS,….

    ARRIVING / Cleveland
    FORM OF PAYMENT / CC
    TOTAL PRICE / 371.71 USD
    REF / KE1431 ST / OK
    BAG / 2PC

    Your bought ticket is attached to the letter as a scan document.
    To use your ticket you should print it.

  8. Tara   |  June 13, 2012 at 3:42 pm

    Dear Customer,

    FLIGHT NUMBER A59-264
    DATE & TIME / JUNE 22, 2012, 10:117 PM
    ARRIVING: NEW YORK JFK
    TOTAL PRICE : 422.34 USD

    Please download and print out your ticket here:
    DOWNLOAD

    Amercian Airlines{br[1-5]}

  9. Jason M   |  June 14, 2012 at 10:39 am

    Well I got hit, stupidly got fooled. opened the attachemnt (winzip) and insidde were a folder and a adobe? read file. I clicked the read file and it just disapeared, nothing happened, i clicked the file and there were multiple sub folders with gibberish in it. I ran avg and nothing, i ran my spyware program (i believe its called spyzilla) and nothing, No folders disapearing, Ill go home and see if i can get my mallibytes program to work but i wonder if i dodged a bullet?

  10. Mark Berry   |  June 14, 2012 at 11:08 am

    Jason, you could well be infected even if the programs aren’t picking it up yet. Update your anti-virus program every day and scan every day for at least a week. I use Microsoft Security Essentials for real-time protection and automatic daily scanning, and I additionally run manual scans with Malware Bytes when I am worried about an infection.

  11. Jack Albritton   |  June 21, 2012 at 7:07 am

    My wife ordered a plane ticket and I opened the ticket (wrong airline) and got the virus. It disables my Microsoft Security Essentials. I tried to restore to earlier version but it will not let me. I loaded my Windows 7 disc before I left for work this morning and loaded my Microsoft Security Essentials and let it do a full scan. I hope I have good news when I get home this after noon.

    Jack

  12. Jason M   |  June 21, 2012 at 10:26 am

    I updated my AVG, Stop Zilla, and loaded malawarebytes. I ran all 3. interestingly AVG didnt catch anything but stopzilla found about 4 trojans and malawarebytes found another 3. Deleted them all, reloaded windows, ran both programs again and came back clean. I waited a few days and ran again with the same results so i think I took care of it. Deffently a tricky bastard and I learned a lesson.

  13. jon   |  October 01, 2012 at 7:30 pm

    I got the email today.
    Dear Customer,

    TICKET NUMBER / 3 596 1224304576 3
    SEAT / 73E/ZONE 1
    DATE / TIME 28 OCTOBER, 2012, 10:59 AM
    ARRIVING / New Orleans
    FORM OF PAYMENT / CC
    TOTAL PRICE / 337.37 USD
    REF / OE7710 ST / OK
    BAG / 4PC

    Your ticket is attached.
    To use your ticket you should print it.

    Thank you for your attention.
    American Airlines.
    The sender was, [removed]
    I didn’t open the .exe file named: AA_TICKET.ZIP

  14. Jim   |  October 08, 2012 at 5:55 pm

    I got the email today:

    Dear Customer,

    E-TICKET / 3 950 1259853817 3
    SEAT / 37A/ZONE 3
    DATE / TIME 22 OCTOBER, 2012, 10:40 PM
    ARRIVING / Yonkers
    FORM OF PAYMENT / CC
    TOTAL PRICE / 355.55 USD
    REF / EF4440 ST / OK
    BAG / 3PC

    Please find your ticket attached.
    To use your ticket you should print it.

    Thank you
    American Airlines.

  15. Valerie   |  November 09, 2012 at 1:42 pm

    I received this today, it bypassed all my security. It just seemed to strange to open it, googled AA email spam and found this confirmation, thanks!
    Dear Customer,

    TICKET / 1 666 1313956328 1
    SEAT / 49F/ZONE 2
    DATE / TIME 26, DECEMBER, 2012, 10:26 PM
    ARRIVING / Lexington
    FORM OF PAYMENT / CC
    TOTAL PRICE / 184.84 USD
    REF / OE9006 ST / OK
    BAG / 5PC

    Your ticket is attached.
    To use your ticket you should print it.

    Thank you
    American Airlines.

  16. April   |  November 10, 2012 at 7:50 am

    Got this today. Knew it was fishy, in particular when the date of flight has already passed.
    It’s Nov. 10, 2012 today and the info states June 24, 2012. Had to google it to make sure.
    Thanks!

    To open archive pleace use this password: AATicket Dear Customer,

    TICKET / 2 298 1044938503 2
    SEAT / 10A/ZONE 2
    DATE / TIME 24 JUNE, 2012, 10:32 AM
    ARRIVING / Colorado Springs
    FORM OF PAYMENT / CC
    TOTAL PRICE / 262.62 USD
    REF / KE4854 ST / OK
    BAG / 5PC

    Your bought ticket is attached.
    You can print your ticket.

    To open archive please use this password: ticket6

  17. Jackie   |  December 10, 2013 at 11:35 am

    Recieved an email from American Airlines yesterday and one from United today, both saying my eticket was attached. Luckily it went to my spam account and I did not open it. My husband checked all our credit card and checking accounts on another computer to make sure they had not been charged by somebody else. These even had the Norton check mark on them so you would think they had been scanned and approved by Norton.

  18. Grant   |  July 17, 2014 at 9:50 am

    This is still making the rounds as my spouse received one pretending to be an Air Canada source. Because we travel with them quite a bit I noticed a couple of inconsistencies from their normal confirmation emails. Interesting though, to add legitimacy to the whole thing the link to Air Canada’s Contact Us actually does take you to the legit page. Anyway, I’ve pasted the text of the email below for information.

    ReplyTo: tickets@aircanada.com

    Subject: Your Order #38810882 – PROCESSED

    Dear client,

    Your order has been successfully processed and your credit card has been charged.

    E-TICKET # QB38810882CA
    FLIGHT # 479018
    DATE & TIME / JUL 19th, 2014, 14:30
    DEPARTING / Toronto
    TOTAL PRICE / 895.00 CAD

    The ticket and the payment confirmation invoice can be viewed online :
    Link removed

    To download an electronic copy of the documents, for your own records, visit :
    Link removed

    For more information regarding your order, contact us by visiting : http://www.aircanada.com/en/customercare/index.html

    Thank you for choosing Air Canada

  19. 10 lessons learned when recovering from a Windows virus « Chris Beck   |  January 10, 2015 at 2:48 pm

    […] out she caught the Airline Ticket Virus which is a trojan horse for delivering the System Recovery Virus which (in plain English) pops up […]

Leave a Reply





Notify me of followup comments via e-mail. You can also subscribe without commenting.