New Airline Ticket Virus Email

Mark Berry November 3, 2011

Today I received an email supposedly from American Airlines with an Zip file attachment:

American Airlines ticket virus 1

If you open the zip file, you’ll see what looks like a Word document:

American Airlines ticket virus 2

However if you go to Windows Explorer and uncheck “Hide extensions of known file types,” you’ll see that it is actually an executable file:

American Airlines ticket virus 3

Don’t run it! That means don’t double-click on it to “open” it. It’s got to be a virus.

The scary thing is that this virus was delivered directly to my Outlook inbox. It got past Forefront security on Office 365, and my up-to-date VIPRE anti-virus does not flag it as a virus. When I submitted it to www.virustotal.com, only 1 of 42 engines currently recognized it as a virus.

As usual:  if you don’t recognize the sender, or are not expecting the email, don’t open the attachment!

Update January 16 and 19, 2012:  Several people have asked how to remove this virus, the main effect of which is apparently to hide (but not delete) files on your computer. Thanks to the several posters who have offered suggestions. For example, see these comments below:

  • December 16, 2011 – Susan Green
  • December 16, 2011 – Michael
  • January 6, 2012 – Teresa
  • January 16, 2012 – Shea
  • January 19, 2012 – Bob
  • January 19, 2012 – Mark

Use these procedures at your own risk! If you’re not comfortable with the procedures and especially if you don’t have a good backup of your files, find a professional to help.



218 Comments

  1. Jenny Seggar   |  December 04, 2011 at 4:00 pm

    Thank you very much for posting this! I really appreciate it – it saved me from being caught with it.

  2. phill   |  December 05, 2011 at 5:50 am

    Very good post!! Just had the email myself, only flying to New York JFK this time. The date was also the 9th of december. Again, thanks very much!!

  3. Me   |  December 05, 2011 at 6:14 am

    I just recieved a simuliar email, luckily I decided to have a look on Google before opening it!

  4. Duncan Marshall   |  December 05, 2011 at 7:13 am

    I also received one of these today. The attachment was disguised as a PDF. I actually double-clicked it (after it passed anti-virus scan), then realised what I’d done, and so I quickly crashed the computer to prevent it unpacking. No ill effects so far, but a close call. In my case, it got past BitDefender, even when I scanned the zip file.

    I hate these people.

  5. JP Rowe   |  December 05, 2011 at 7:19 am

    I just got the same thing…

    Notification,
    FLIGHT NUMBER A781BN
    ELECTRONIC 763738965
    DATE & TIME / DECEMBER 08, 2011, 11:53 PM
    ARRIVING / NEW YORK JFK
    TOTAL PRICE / 411.12 USD

    Please find your ticket attached.
    To use your ticket you should print it.

    Thank you
    American Airlines.

    With a zip attachment. I agree it has to be a virus.

  6. JP Rowe   |  December 05, 2011 at 7:56 am

    Interesting… Gmail quarantined it…

    The message “Your Order##226836253″ from American Airlines (manager.sn.29595@aa.com) contained a virus or a suspicious attachment. It was therefore not fetched from your account and has been left on the server.

    If you wish to write to American, just click reply and send American a message.

    Thank you,

    The Gmail Team

  7. Mark Berry   |  December 05, 2011 at 8:16 am

    By now the anti-virus engines should be trapping the one that started November 3. However I received a new variant, also bypassing multiple checks, about ten days ago. Stay vigilant!

  8. June   |  December 05, 2011 at 12:41 pm

    Hi I got the same e-mail in my junk box today, thanks for posting comments. Its good to see whats out there

    June

  9. steve   |  December 05, 2011 at 1:55 pm

    Message Body

    Cheers for this, thought it would be a virus but always nice to know for sure :o)
    Also just got one…… Shame its a virus as could really do with a holiday

    Notification,
    FLIGHT NUMBER A781BN
    ELECTRONIC 557662963
    DATE & TIME / DECEMBER 14, 2011, 10:45 PM
    ARRIVING / NEW YORK JFK
    TOTAL PRICE / 258.23 USD

    Your bought ticket is attached to the letter as a scan document.
    To use your ticket you should print it.

    Thank you for using our airline company services.
    American Airlines.

  10. bnjohanson   |  December 05, 2011 at 3:51 pm

    Anyone have any suggestions on how to clean it once it has been opened and therefore infected the machine?

  11. Arthur   |  December 06, 2011 at 7:47 am

    I also rec’d this today 6th Dec but thought I would check it out before I opened it. So thanks to everyone who has posted this info.

  12. mick   |  December 06, 2011 at 9:32 am

    Notice,
    FLIGHT NUMBER AA984
    ELECTRONIC 600619277
    DATE & TIME / DECEMBER 16, 2011, 10:45 PM
    ARRIVING / NEW YORK JFK
    TOTAL PRICE / 321.56 USD

    Your bought ticket is attached to the letter as a scan document.
    To use your ticket you should print it.

    Got this today as i never book american airlines and was no departing airport i scanned it with mcaffe and nothing found so i and a little look and saw it was a exe file so decided to check online 1st as was wary and found this page arrived in my aol email box that is meant to be protected by aol and mcaffe

  13. Andrew mellen   |  December 06, 2011 at 10:11 am

    It got through my aol account 2 y would someone
    Open a flight email when they havnt booked one?

  14. John Spiby   |  December 06, 2011 at 11:30 am

    Does anyone have any ideas in how to sort things- I opened the file by mistake-or is it a lost cause – many thanks

  15. molly reed   |  December 06, 2011 at 1:09 pm

    I got this today. And because I work with travel all the time (and have an outstanding JFK flight) and was in a hurry, I stupidly opened it. IT ERASED EVERYTHING ON MY COMPUTER excect AOL and my wallpaper.

  16. Brendastic   |  December 06, 2011 at 2:33 pm

    I know this was stupid – have a MAC and never got a file like this so far. S I tried to open (and could not because it was a doxcs file and left it). Will something happen. How can I check?

  17. simon   |  December 06, 2011 at 4:07 pm

    i don’t know if anyone knows how to obtain a more definative location

    IP of sender of e-mail virus is 142.166.86.98
    located in Fredericton, New Brunswick, CANADA

  18. Nathaniel   |  December 07, 2011 at 3:46 am

    I just recieved one as well. I’ve got Avast! free virus scan and mine did see it as a dangerous file.
    Thanks for the posts made me sure not to open it :)

  19. Brad   |  December 07, 2011 at 4:29 am

    I just got this myself as well in my outbox via Hotmail
    =========================================================================
    Notification,
    FLIGHT NUMBER AA983
    ELECTRONIC 744412175
    DATE & TIME / DECEMBER 14, 2011, 10:45 PM
    ARRIVING / NEW YORK JFK
    TOTAL PRICE / 283.30 USD

    Your bought ticket is attached to the letter as a scan document.
    To use your ticket you should print it.

    Thank you
    American Airlines.
    =========================================================================

  20. Helen Forster   |  December 07, 2011 at 5:21 am

    Thanks so much for all the posts – I was just about the click it open thinking one of my staff team had been using the credit card but thought I better check.

  21. Claire   |  December 07, 2011 at 6:25 am

    Thanks saved me too

  22. Chris   |  December 07, 2011 at 7:07 am

    My girlfirned has just opened this email too. She has lost all of her university work from the last two years. No back up. A tech guy is trying to restore it at the moment. Has anyone who opened the file managed to get their info back?

    She has just got back from NY on holiday so why wouldnt she open the file!?

    Gutted.

  23. Paul   |  December 07, 2011 at 11:26 am

    I just opened this. It got through my aol account, and I opened it because my mom doesn’t use her email and when she buys tickets and stuff she uses my account. My anti-virus didn’t catch it. I opened it. Everything I had was erased. I am trying to see if any techs can restore it. Anyone have any luck?

  24. Justin   |  December 07, 2011 at 12:19 pm

    Good job I thought to have a look on google before opening the email in my junk folder!! I thought that somebody had got my credit card and was having a good time at my expense.

    Email was as below.

    Notification,
    FLIGHT NUMBER 980
    ELECTRONIC 753197060
    DATE & TIME / DECEMBER 13, 2011, 12:54 PM
    ARRIVING / NEW YORK JFK
    TOTAL PRICE / 214.34 USD

    Your bought ticket is attached to the letter as a scan document.
    You can print your ticket.

    Thank you for using our airline company services.
    American Airlines.

    THANKS EVERY ONE FOR POSTING!!

  25. Nils   |  December 07, 2011 at 1:18 pm

    I received this right now and luckily googled first. I’m going to NY in februari so they almost fooled me.

    Notice,
    FLIGHT NUMBER A781BN
    ELECTRONIC 363169492
    DATE & TIME / DECEMBER 12, 2011, 11:53 PM
    ARRIVING / NEW YORK JFK
    TOTAL PRICE / 367.45 USD

    Your bought ticket is attached to the letter as a scan document.
    To use your ticket you should print it.

    Thank you for using our airline company services.
    American Airlines.

  26. Tom   |  December 07, 2011 at 3:26 pm

    Got the same notice but made the mistake of opening it in a PDF. it crashed the PC. Rebooted in Safe Mode and was able to restore to an earlier date. Got my files back but have some small issues to resolve. a lot of time and frustration over this. So far so good

  27. trace   |  December 07, 2011 at 4:58 pm

    came through as spam on aol but knew not to open good to see people helping :)

  28. Graham   |  December 09, 2011 at 9:41 pm

    American Airlines do not fly from my local airport and it has been over twenty years since I have needed to visit any part of the USA, let alone JFK so I knew that it was some sort of spam anyway and just deleted it. Clearly whoever sent it had not targeted the recipicants very well. My concern though was that it went through three levels of security to go directly into my inbox. Any ideas who is responsible and what we can do about it?

  29. Mark Berry   |  December 09, 2011 at 10:54 pm

    Wish I had easy answers for those that got the virus. Sometimes Safe Mode helps, in combination with a good scanner like Malwarebytes. More advanced options include booting from CD to run anti-virus programs. Often your only recourse is to wipe the disk and re-install everything. As long as you have backups, that’s not catastrophic; a good image-based backup can quickly take you back a day or two. I blogged briefly about backups.

    It is disturbing that these things are getting past anti-virus scanners so frequently, but there are so many new viruses every day that there will always be some that get through. If you want to see how many scanners recognize the variant that you received, you can upload a copy of the file to http://www.virustotal.com. Do this at your own risk–you have to save it to your computer without opening it in order to be able to upload it.

  30. Ann Marie   |  December 13, 2011 at 12:42 am

    It is still circulatiing with later dates. Thanks for the info….Fortunately,I didn’t open it. Thanks again!

    Dear Customer,

    FLIGHT NUMBER AA984
    ELECTRONIC 064249717
    DATE & TIME / DECEMBER 23, 2011, 10:43 PM
    ARRIVING / NEW YORK JFK
    TOTAL PRICE / 366.45 USD

    Please find your ticket attached.
    To use your ticket you should print it.

    Thank you for using our airline company services.
    American Airlines.

  31. Mb   |  December 13, 2011 at 10:09 pm

    Whole computer crashed. All the files disappeared one after the other as soon as I clicked on the ticket sign (PDF format). I feel so sorry for opening that file. I lost all my new baby’s pictures. We didn’t even have a chance back them up. Sick people.

  32. Mark Berry   |  December 13, 2011 at 10:31 pm

    Mb, sorry to hear that. You’re maybe the third comment reporting deleted files. I’ve heard of viruses that hold files for “ransom” until you pay them, but no one has mentioned that here. Consider taking the computer to a pro; maybe there is a way to salvage/undelete the files. Let us know if you find out.

  33. sue   |  December 15, 2011 at 6:26 am

    Just recived email mine was to FORT WORTH lucky I did a check around first to see if it was a virus brfore i tried to open it

  34. Adonia   |  December 15, 2011 at 7:10 am

    I received the email too. Mine said it was for Chicago on Dec 22. I knew I hadn’t purchased a ticket so I used trusty ol’ google and found this page! Thanks for posting!

  35. Eva   |  December 15, 2011 at 8:52 am

    Recieved this but didn’t notice it right away – we live in England and were in bed when it was sent. Also thought it was interesting that mine says the zip file has 0k – so it is empty – I asume. Maybe the virus checkers are now alert to the scam. I googled the flight number and it did not equate with the same destination listed in he email. Thought originally my husband might have bought a ticket for someon in my family to come for a visit, however all my family are on the West Coast. None of the information regarding the flight is correct. So glad I found this site or I might still be wondering.

    American Airlines report.id83641@aa.com
    12:27 AM (16 hours ago)
    to me

    Hello

    FLIGHT NUMBER AA634
    ELECTRONIC 791699218
    DATE & TIME / DECEMBER 23, 2011, 10:43 PM
    ARRIVING / Charlotte
    TOTAL PRICE / 182.32 USD

    Your bought ticket is attached to the letter as a scan document.
    You can print your ticket.

    Thank you for your attention.

    American Airlines.

    Ticket.zip
    0K View Download

  36. Eva   |  December 15, 2011 at 9:08 am

    I just looked back over some of the messages and found this interesting:

    “Thank you for using our airline company services.”

    “Your bought ticket is attached to the letter as a scan document.
    You can print your ticket.
    Thank you for your attention.”

    Strange sounding wording – your bought ticket – wouldn’t an American company say purchased? And “our airline company servics” doesn’t sound right either. Just a thought.

  37. Eva   |  December 15, 2011 at 9:09 am

    And thank you for your attention – who would say that in America?

  38. Martinolli23   |  December 15, 2011 at 9:33 am

    Just had this email sent to me for a flight to Jacksonville, but it was flagged by google chrome as a virus.

  39. Mark Berry   |  December 15, 2011 at 9:39 am

    Eva, “quite right” as the British would say: poor grammar or spelling and odd phrasing are often a clue that the email is not legitimate.

    Your 0K attachment may indicate that an anti-virus program (either on your computer or on the email server) cleaned the virus before it got to your Inbox.

  40. james   |  December 15, 2011 at 10:44 am

    I received this attachment in my gmail inbox. I didn’t download but previewed it. Should it harm my pc?

  41. muneer   |  December 15, 2011 at 11:35 pm

    i got the same male, i opened it while i was in conversation with a colleage didnt notice it, man my computer is gone! it deleted everything, hard disk is not functioning.

  42. Andy   |  December 16, 2011 at 5:50 am

    Your files & folders aren’t missing, just hidden. In Windows Explorer, navigate to Folder Options, click the View tab and select Show hidden files and folders. It’s going to take some work but all is not lost. Don’t ask me how I know. :(

  43. CommitTreason   |  December 16, 2011 at 8:33 am

    Just had one crop up at work. Our mail server failed to notice it, but when I attempted to forward it home, gmail bounced it back.

  44. Cyndi   |  December 16, 2011 at 10:58 am

    Just got one too – into my outlook mailbox. Glad I researched it before opening the ticket! Thanks for the great info.

    Here’s what I got:

    Dear Customer,

    FLIGHT NUMBER AA711
    ELECTRONIC 966501410
    DATE & TIME / DECEMBER 24, 2011, 10:43 PM
    ARRIVING / San Diego
    TOTAL PRICE / 181.30 USD

    Please find your ticket attached.
    You can print your ticket.

    Thank you for using our airline company services.
    American Airlines.

  45. Susan Green   |  December 16, 2011 at 3:33 pm

    Just helped a co-worker with this. It appeared he lost everything but it was all hidden…
    Here’s what I did to restore his PC:
    Closed all open windows
    Reboot in safe mode with networking
    Because we couldn’t see IE – in search – put in Run and then iexplore.exe
    Went to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and downloaded combofix – print all instructions first.
    Ran combofix – after it was done the icons returned to the desktop
    Went to: http://www.bleepingcomputer.com/virus-removal/remove-system-fix
    Started with #7 and Downloaded malwarebites and ran it – found 3 items
    Continued with #19 to unhide the icons
    Rebooted as normal and PC was back to pre-virus state.

    Good luck!

  46. Michael   |  December 16, 2011 at 4:08 pm

    Having embarrassed myself (especially having worked for a famous OS software company), I fell for this one bad and by the time I realized it was a .exe file and not a pdf, the damage was done. However, I was able to completely fix the problem by doing the following (and assuming those who where infected have the same condition with your OS). Note I have a Windows Vista OS on my computer.
    1. Click on lower left corner Windows icon.
    2. Click on All Programs (that was the only option that was showing in this Window after the attack).
    3. Click on Default Programs
    4. The header file will now show Default Programs>
    5. Click on Control Panel in the file name and that should come up.
    6. If it does and you’re in Classic View, click on Backup and Restore C. If on default home view, select System and Maintenance. Follow instructions from there to restore your system to a previous date/time from the attack (if you’re able to). Fortunately I was.
    7. OS should reset everything back to status quo before the attack – at least mine did.

    Again as stated by others, you have not lost your files or programs with this viscous attack, just the access to them.

    I hope this helps and good luck.

  47. Mark Berry   |  December 16, 2011 at 4:33 pm

    Thanks Susan and Michael for sharing your remediation procedures.

    I got another one of these today, except this time instead of an attachment, it had a link to “Download your ticket here.” I started up an isolated virtual machine and opened the link. It linked to a site with an .ru domain (Russia), which started downloaded a rather long Javascript. I got tired of waiting for it to do anything so I closed the virtual machine, deleting the changes.

    Bottom line: watch out for variants: PDF instead of DOC attachments, or just a link with no attachment.

  48. Karen   |  December 17, 2011 at 8:38 pm

    I also received this today … I figured it was either a virus, or someone got my CC number & info and booked something … glad I googled before anything else … I also NEVER trust ANYthing sent to “Customer” … .

    Dear Customer,

    FLIGHT NUMBER AA711
    ELECTRONIC 565963602
    DATE & TIME / DECEMBER 20, 2011, 12:53 PM
    ARRIVING / Jacksonville
    TOTAL PRICE / 312.12 USD

    Your bought ticket is attached to the letter as a scan document.
    You can print your ticket.

    Thank you
    American Airlines.

  49. Zach   |  December 18, 2011 at 7:52 pm

    My father just opened this email up and his PC crashed and everything was erased. I was able fix the problem in the following manner: (I just did this two minutes ago and as of now everything appears to be normal again)

    1) Shut down the computer as soon as possible to avoid any further damage.
    2) Reboot the computer in safe mode. (this is done on Windows by tapping the F8 button when you turn on the computer, if you get to the windows logo it’s too late. Restart the computer and try again.)
    3) Open the computer in Safe Mode with networking.
    4) Go to the Control Panel and perform a system restore. (this will restore your computer to an earlier date, specifically one before you opened the virus.)

    Anything you did after the system restore obviously won’t be available, but this is a small price to pay to get your computer back.

  50. karolinni   |  December 19, 2011 at 6:15 am

    i just received a similar email…i got it on my phone and there was no attachment to open on my phone. I checked my bank account just incase it was fraud done on my account. its sad to say that has happened to me before and they stole more than $1100 out of my bank account =(

  51. stacy   |  December 19, 2011 at 6:26 am

    wish id seen this page before now….i opened it up on saturday and my ticket was to Detroit-in hindsight it was stupid but i genuinely thought someone had used my card ….. cue everything wiped off my pc andf a nice £60 bill to restore and repair-fine now but im so angry and annoyed that there are some people sad enough to get off on this sort of thing!

  52. Dagmara   |  December 19, 2011 at 11:51 am

    I also just received it. I decided to check out first but like some of you I thought at first someone had gotten to my cc…..However, I do not recall receiving real confirmation letters sounding like this one:

    Hello

    FLIGHT NUMBER AB871
    ELECTRONIC 524891814
    DATE & TIME / JANUARY 18, 2012, 10:33 PM
    ARRIVING / Oxnard
    TOTAL PRICE / 178.12 USD

    Please find your ticket attached.
    To use your ticket you should print it.

    Thank you for using our airline company services.
    American Airlines

    This is such a shame some people find joy in ruinig somebody elses work.
    Hopefully it will not be making any more harm.

  53. Catherine Whittington   |  December 19, 2011 at 12:47 pm

    I received this email, destination Chicago, in my AOL email. Fortunately, my husband was sitting in the room at the time. I actually downloaded the .zip file and started to extract when something just felt wrong. I told my husband and he asked me to forward it to him and today he found this post. I also checked my bank account to see if there had been any charge there, but none. It was odd for it to come to my AOL account, because literally NOTHING that I use is attached to that account. I also found the language “a scan document” rather than “a scanned document” strange. Thanks for the info. I’m really glad I stopped the extraction when I did!

  54. Chris   |  December 19, 2011 at 5:28 pm

    I opened this before reading these posts. Does anyone know if this virus can affect a MAC Book Pro?

  55. Mark Berry   |  December 19, 2011 at 6:48 pm

    Chris, I’d be surprised if this affects Macs. Let us know if you find differently!

  56. Me   |  December 20, 2011 at 8:35 pm

    To get ur data back you need a program from bleeping computers called unhide , I am a computer tech and have expire emceed many people with same issues. Email me of new further assistance.

  57. Veve Dell   |  December 20, 2011 at 8:41 pm

    Got this same email today with the destination to california. Must be going around!
    Thanks for these postings…
    I knew I hadn’t bought this plane ticket and thought it was a mistake…
    Thought it was the odd the email began with the greeting “hello”
    Glad I didn’t open the file!
    It’s doubly weird that I am actually getting on an airplane tomorrow!

  58. KwangGee   |  December 21, 2011 at 2:42 am

    I received that email this evening but for some reason there was no attachment or links.

  59. Chris   |  December 21, 2011 at 11:00 am

    Dad opened this, took his drive out and put in another machine and ran malwarebytes then put it back in his computer. Found a bunch, but not all XP functions work on his drive. All the data is there, which is good. When trying to boot to safe mode it opens a window for Vista OS and then just boots normal and doesn’t give any “Safe Mode” options. Any idea how to fix the XP OS without a format?

  60. Mark Berry   |  December 21, 2011 at 2:40 pm

    Chris, not sure why Vista would come up if you have XP. Maybe your BIOS is set to “Fast Boot” so you’re not getting the chance to get in with the F8 key. There are a couple procedures in the comments above, e.g. using System Restore, that may not require Safe Mode.

  61. Ina Ames   |  December 21, 2011 at 6:59 pm

    I am contacting you from my Xp as my Vaio Vista is crashed. I was flying to NYC on American so I clicked on the e-mail. I saw the “.exe” too late and had already clicked the zip file. My Sony Vaio w Vista os began faultering and shutdown.
    I cannot get F8 to work so no safe mode.

    The only success i have is F2/Bios settings or F10/ Vaio recovery center.
    I really don’t want to lose all my files, my husband has passed away and I have his photos + files I haven’t backed up that I dearly want to keep.

    I used the Vaio rescue Data button to backup to a hard drv but i’m afraid to connect it to another computer for fear it will infect it. I don’t know if it actually worked in backing up files.

    When I tried using the restore point in Vaio recovery center I had an error msg of “no os detected” so it could not access windows to do a restore. Do I have any other options for accessing the info on my HD? I’m hoping it is still there + I can find a way to get in + change the attributes but how? How could I make a rescue cd (no os detected)? Any step by step instructions would be greatly appreciated!!!!
    Thank you

  62. Mark Berry   |  December 21, 2011 at 7:43 pm

    Ina, there are a couple step-by-step procedures in the comments above but if you cannot get F8 to work, or if you are not comfortable with virus recovery in general, I would recommend taking your infected machine to a reputable local professional.

  63. Ina   |  December 24, 2011 at 12:16 am

    I did buy ($10.) a vista recovery disc online and I used it to boot but it couldn’t see windows vista even thought I could use it to see some of my files.
    It was very limited in it’s tools.
    I’m wondering if I could use it to make another cd w “unhide” on it.

    I can go to the command prompt w this cd. Can I use the same old dos commands to move around in the files? change the attributes etc?

  64. Mark Berry   |  December 24, 2011 at 8:36 am

    Ina, I would think that you would have access to the DIR command. Not sure if it supports the /ah switch to show hidden files, or whether you also have the ATTRIB command for removing the hidden flag.

    Some colleagues have recommended Hiren Boot CD (http://www.hiren.info/pages/bootcd). I have used Ultimate Boot CD (http://www.ultimatebootcd.com/), Either one should give you a graphical file explorer that would let you look at hard disk contents. Not sure about unhide utilities but these are pretty comprehensive utility CDs so probably unhide is available.

  65. Inga   |  December 27, 2011 at 6:38 pm

    Thanks for posting this article. I was tempted to open this email thinking someone stole my visa number. It did go into my hotmail junk file.

  66. Jeff   |  December 28, 2011 at 7:46 am

    I got this this at about 7:40 this morning.

    Hello

    FLIGHT NUMBER AA551
    ELECTRONIC 770448823
    DATE & TIME / JANUARY 13, 2012, 10:53 PM
    ARRIVING / Chattanooga
    TOTAL PRICE / 214.23 USD

    Your bought ticket is attached to the letter as a scan document.
    You can print your ticket.

    Thank you for using our airline company services.
    American Airlines.

    ——————————————————————————–

    No virus found in this message.
    Checked by AVG – http://www.avg.com
    Version: 2012.0.1901 / Virus Database: 2109/4707 – Release Date: 12/27/11

  67. jai   |  December 28, 2011 at 10:44 am

    I got the email today and thought my wife made flight arrangements for her upcoming trip. Lucky i opened it on my mac so far nothing has happen. But i also opened in my phone hopefully nothing is effected and it stays that way

  68. JSM   |  December 28, 2011 at 2:17 pm

    Got this today–saw it come up on my iPhone as I rarely if ever go out to AOL to read my mail. Figured it was a virus and came out here, so I forwarded it to AOL’s spam team and deleted it. Whew.

  69. Jill   |  December 29, 2011 at 8:58 am

    I got this email to my AOL account which I rarely use and like other people I thought either its a virus or someone got a hold of my cc. The wording didn’t sound right which made me think it was probably a virus but out of curiosity I went ahead and opened it on my Android phone. So far nothing has happened. I quickly deleted all the files from my phone anyway.

  70. Jill   |  December 29, 2011 at 10:17 am

    I just got this email in my yahoo account – yahoo caught it as spam – glad I checked here first. Not to mention I have no plans on traveling soon or on AA….

  71. Karen   |  December 30, 2011 at 5:48 am

    Just received this email this morning into my business email, and knew instantaneously it was a virus or password fisher. I travel a few times a month, but I never on American Airlines. The improper grammar was also a huge tip-off.

  72. Frank   |  December 30, 2011 at 7:49 am

    My partner opened this same email last evening, AND the attached zip file.
    It immediately began scanning our system, files appearing on screen one after another, appearing to be a WINDOWS anti-virus scan. We use McAfee, not WINDOWS for security, so
    I attempted to close this new screen and run a scan with McAfee. It worked well, up to 97%, then shut down and the virus screen reappeared.
    I immediately unplugged the computer and disconnected it from the intranet. I used my laptop to do research on a cure for this virus. I discovered a company offering assistance – TeeSupport.com – online at 10pm at night – live support. It cost me $69. to have them “takeover” (online) my computer and manually delete the virus.
    I spent the money – as of now, it appears we’ve lost nothing and everything is back to normal.
    Another lesson reminded – never open an attached file that you don’t recognize. (grrrr)
    I hope law enforcement catches the little jerks.

  73. Mike   |  December 30, 2011 at 4:33 pm

    First off thank you so much for your coverage of the Airline Virus Emails that have been going around, it has been a big help.

    Yesterday, my wife opened one of these emails and the attached zip file on her Droid-based Tmobile Samsung Galaxy S ,w/ the Gmail App, not realizing what it was was.

    Is her phone at risk? I am not sure anything was installed. I have heard that the .exe cannot be read by Driod but I also not sure if the .zip had a .exe or something else. in it as she deleted the email after openeing it.

    I have run scan the phone with some of the free Anti-Virus Apps(Lookout and AVG) from the Market place and that reported no issues.

    I have thought about connecting her phone to my HP laptop with Symantec Endpoint Protection to run an additional virus scan but I am concerned that I may infect my laptop if I mount the phone via USB. Should I be concerned about tranferring a virus to my laptop if it is infact on her phone?

    Thank you.

  74. Mark Berry   |  December 30, 2011 at 4:43 pm

    Mike, I’m no Android expert but I doubt a Windows .exe could run there, and so far no one above has reported otherwise. Just connecting your laptop probably wouldn’t matter, but if you went so far as to copy the .exe and execute it, you could infect your laptop. I’d just delete the mail and any saved downloads, and thank goodness you didn’t get infected!

  75. Meesha   |  December 31, 2011 at 9:41 am

    Dear Customer,

    FLIGHT NUMBER A627
    ELECTRONIC 859595824
    DATE & TIME / JANUARY 29, 2012, 11:44 PM
    ARRIVING / Montgomery
    TOTAL PRICE / 275.23 USD

    Please find your ticket attached.
    To use your ticket you should print it.

    Thank you for using our airline company services.
    American Airlines.

    This is the email I got. Could only be a virus. If I booked a flight, it would have my name and a city I would travel to

  76. Cedric F   |  December 31, 2011 at 9:42 am

    I got the same thing! Here is what I got:

    Hello

    FLIGHT NUMBER AB871
    ELECTRONIC 386425646
    DATE & TIME / JANUARY 26, 2012, 10:22 PM
    ARRIVING / Tucson
    TOTAL PRICE / 192.54 USD

    Your bought ticket is attached to the letter as a scan document.
    You can print your ticket.

    Thank you
    American Airlines.

  77. Sev   |  January 01, 2012 at 1:16 pm

    I got one of these today too and didn’t fall for it
    Don’t You Either…………………….

    Dear Customer,

    FLIGHT NUMBER A627
    ELECTRONIC 378860473
    DATE & TIME / JANUARY 31, 2012, 10:33 PM
    ARRIVING / KnoxvilleFort
    TOTAL PRICE / 111.12 USD

    Please find your ticket attached.
    To use your ticket you should print it.

    Thank you for using our airline company services.
    American Airlines

  78. Glynda   |  January 01, 2012 at 8:18 pm

    New Airline Ticket Virus Email. Thank you Mark Berry for your kindness in posting the warning regarding this virus email. I just received the email today. I recently stupidly put my real name, address, and email on a web site and thought that the “American Airlines” email was a result of that error.

  79. NWC   |  January 01, 2012 at 9:52 pm

    Just received this today and as I travel often, I opened the file on my HTC Evo Droid phone while I was out, and preoccupied:

    Dear Customer,

    FLIGHT NUMBER A745
    ELECTRONIC 780536635
    DATE & TIME / JANUARY 13, 2012, 10:33 AM
    ARRIVING / St. LouisTampa
    TOTAL PRICE / 199.12 USD

    Please find your ticket attached.
    To use your ticket you should print it.

    Thank you
    American Airlines.

    I have looked thru my phone/SD card and can’t recognize if there was a file downloaded. When I clicked on the attachment again on the phone/email it asked “would you like to replace the existing ‘ticket doc’?” When I go thru all of the files tho, I don’t see anything called “ticket doc”.

    I downloaded Lookout virus scanner from the Droid Market and the phone comes up clean – but is this accurate? How can I find the file? I’m totally freaked out that my phone is infected and all of my info is being drained as I type this..

    HELP!!! :(

  80. Robert Sweetman   |  January 02, 2012 at 5:28 am

    I hear it was distributed through AOL email.

    Here’s what I removes (so far)
    zbot trojan virus: detected by AVG free (froze when trying to isolate) Ran a special program from AVG (rmzbot)

    STOPzilla found: (2) inter2000, (1) GASF file (liia.sys) and (29) Registry Key entries

    Reinstalled a AVG, ran, deteced and removed: Generic_r.IO, (gmect.f) Win32/Kryptik.YGY (SIL.EXE), Artemis!3115F56C61CA (9B20.tmp), TR/Crypt.XPACK.Gen (B3E0.TMP), Artemis!3115F56C61CA (A59C.TMP)

    All has been quite now for a day or so. Hope it’s gone!

  81. NWC   |  January 02, 2012 at 11:41 am

    But how do I find it and remove it from my phone? I cant find any zip files on sd card, or elsewhere :(

  82. Mark Berry   |  January 02, 2012 at 11:59 am

    NWC, please review my 12/30 comment re. Android.

  83. Rachel   |  January 02, 2012 at 8:20 pm

    Just received one today – thank you for documenting the virus – saved me a great deal of time and expense.

    Dear Customer,

    FLIGHT NUMBER A714BN
    ELECTRONIC 669723510
    DATE & TIME / JANUARY 25, 2012, 10:53 PM
    ARRIVING / Sacramento
    TOTAL PRICE / 189.11 USD

    Your bought ticket is attached to the letter as a scan document.
    To use your ticket you should print it.

    Thank you for your attention.
    American Airlines.

  84. Bill   |  January 03, 2012 at 8:11 am

    Got this today.

    Hello

    FLIGHT NUMBER AA112
    ELECTRONIC 935047405
    DATE & TIME / JANUARY 13, 2012, 10:22 AM
    ARRIVING / KnoxvilleFort
    TOTAL PRICE / 125.22 USD

    Your bought ticket is attached to the letter as a scan document.
    To use your ticket you should print it.

    Thank you
    American Airlines.

  85. Sandra   |  January 03, 2012 at 8:29 am

    Just had one show up at 11:12am

    Hello

    FLIGHT NUMBER A627
    ELECTRONIC 320508329
    DATE & TIME / JANUARY 30, 2012, 11:44 AM
    ARRIVING / Oxnard
    TOTAL PRICE / 189.11 USD

    Please find your ticket attached.
    You can print your ticket.

    Thank you for your attention.

    American Airlines.

  86. Graeme T   |  January 03, 2012 at 10:12 am

    Thanks for sharing – I thought it looked like a virus, thankfully it went to my hotmail spam so I was instantly suspicious!

  87. Elise   |  January 03, 2012 at 2:51 pm

    I got one of these today and another a couple weeks ago. First I was going to NYC and then I was going to Grand Rapids. I just want these fools to know I’m not as much of an idiot as they think I am!!!

  88. shalini   |  January 03, 2012 at 3:37 pm

    Thank you for the posts. I thought someone had gotten My CC card and info and was planning on doing some traveling. Glad I googeld it first.

  89. Shelly   |  January 04, 2012 at 5:12 am

    I received two of these today. It was a close call for me to open it because I AM flying AA in a few days and made a change yesterday. The first clue was that it went to my spam account, the second was it looked NOTHING like the other emails from AA. Glad to find my gut instinct was correct.

  90. Steph   |  January 04, 2012 at 8:56 am

    Got one today too! I do NOT fly, so this was a curious inbox find to say the least. Perhaps I am still oversensitive, but to see a fake flight #A911, knowing American Airlines flight 11 was one of the 9/11 casualties, is pretty freakin’ crappy IMO.

    Your Order#517599993
    American Airlines account.id3994@aa.com

    Dear Customer,

    FLIGHT NUMBER A911
    ELECTRONIC 641467651
    DATE & TIME / JANUARY 27, 2012, 11:44 PM
    ARRIVING / Aurora
    TOTAL PRICE / 189.15 USD

    Please find your ticket attached.
    To use your ticket you should print it.

    Thank you
    American Airlines.

  91. Susan   |  January 04, 2012 at 3:26 pm

    I received one today sending me to Amarillo… as a Texan, I can say that I would never purposely choose to fly there!

    FLIGHT NUMBER AA534
    ELECTRONIC 747841554
    DATE & TIME / JANUARY 13, 2012, 10:33 AM
    ARRIVING / Amarillo
    TOTAL PRICE / 257.58 USD

  92. CHRISTINE   |  January 04, 2012 at 5:19 pm

    I received the email on my phone. Since I haven’t made any arrangements to fly, I did not open. I checked the AA website to check if the flight number existed. It didn’t. I was also afraid that someone booked using my credit card. Then on to Google where I found all you great people posting the same thing. Thank you for sharing. I immediately deleted it.

  93. Phil   |  January 05, 2012 at 9:53 am

    Never open an e-mail you dont trust. The American Airlines ticket virus just got me. What was I thinking. I had to restart my computer in safe mode to try a system restore. I think it worked. Good luck. Why aren’t the FBI going after these thieves. Follow the money and bust them. Its attempted theft. They infect your computer then offer to sell you the problem fix. Follow the money and bust there ass. Prison time is what these jerks should get, not our cash.

  94. Pat   |  January 05, 2012 at 11:03 am

    I received this email on Jan 2, flying to Chicago! Flight A911. Thought it suspicious so first checked all my credit cards for the amount posted for the cost. Then googled the flight #. BTW…who wants to go to Chicago in Jan? GEEZ…at least pick Florida!!! LOL.

    Thanks for the heads-up!

  95. mike   |  January 05, 2012 at 1:31 pm

    when you get a free ticket in the mail which dont even tell you what city you are leaving from and then look at t AA website to see there is no such flight number and NEVER EVER open a ZIP file from someone you don’t know

  96. Chris   |  January 05, 2012 at 2:01 pm

    Just received one with arrival to Plano ?? flight A864 through AOL account. Almost got me because I do have a flight booked with American Airlines to another destination and didn’t read it carefully, but thankfully my AVG caught it as a Trojan horse virus before I could open it . Checked online and found all the warnings, will never do that again before reading it thoroughly first !!

  97. DW   |  January 05, 2012 at 4:13 pm

    Got one like this today and was immediately suspicious, did not open the attachment, and marked it as spam. I realized that had I actually recently made some kind of travel plan, I might have been duped into opening this. So obnoxious.

  98. Teresa   |  January 06, 2012 at 10:57 am

    Here’s what I did to restore his PC:
    Closed all open windows
    Reboot in safe mode with networking
    Because we couldn’t see IE – in search – put in Run and then iexplore.exe
    Went to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and downloaded combofix – print all instructions first.
    Ran combofix – after it was done the icons returned to the desktop
    Went to: http://www.bleepingcomputer.com/virus-removal/remove-system-fix
    Started with #7 and Downloaded malwarebites and ran it – found 3 items
    Continued with #19 to unhide the icons
    Rebooted as normal and PC was back to pre-virus state.

  99. Karen   |  January 06, 2012 at 1:16 pm

    Yeah…I wasn’t so smart and opened it, luckily my security suite caught it and quarentined it -_- that’s a scary one though, because it seemed pretty real.

  100. Randy   |  January 07, 2012 at 8:36 am

    Just got a new version of this virus:
    Dear Customer,

    FLIGHT NUMBER A714BN
    ELECTRONIC 712573989
    DATE & TIME / JANUARY 17, 2012, 10:22 AM
    ARRIVING / Miami
    TOTAL PRICE / 157.17 USD

    Your bought ticket is attached to the letter as a scan document.
    You can print your ticket.

    Thank you for your attention.
    American Airlines.

  101. Mark Berry   |  January 07, 2012 at 10:44 am

    Just noticed that in all the examples submitted, not a single one lists a departing city. When have you ever received a flight confirmation that didn’t list the from AND to airports? Of course if they put that in there, it would make the fraud more obvious, since they would be unlikely to list your local airport.

  102. S. Parisi   |  January 09, 2012 at 11:24 am

    I received mine the other day. Apparently I was traveling to Newark on 1/13/12. I’m glad I didn’t open it. Thank you all for the heads up.

  103. Nick   |  January 10, 2012 at 3:12 am

    I’d suffered the results of the virus since I’d scheduled a flight on American Airlines and assumed the email was legitimate without reading details before opening the attachment. My computer specialist was able to recover my primary desktop but not the JPG photos on my pocket hard drive. Is there a good way to recover these?

  104. Mark Berry   |  January 10, 2012 at 8:24 am

    Nick, if they really are just hidden files, as some have suggested above, you should be able to turn on hidden files in Windows Explorer to see the files, then change the files attributes (remove the “H” hidden flag) to unhide them. Here are a couple relevant articles:

    http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/
    http://www.cypherhackz.net/archives/2009/04/06/files-hidden-by-virus-how-to-unhide-them/

  105. Nathan   |  January 10, 2012 at 8:37 am

    I got this too and it got past all of my security

    I sent it on to American Airlines over a week ago
    not heard a thing from them
    they obviously dont give a $%*t

  106. Mr Vang   |  January 10, 2012 at 10:52 am

    I just got this today… glad i seached. my Avast antivirus wont let me open the zip. it says it contains trojan virus.

  107. Emily   |  January 10, 2012 at 11:29 am

    Afternoon all,
    Currently living in England and due to fly to New York for a 5 day break next week , was suprised to see this in my email box thought it was my real ticket as my mum has sorted the flights out , i really thought she has just got the airline to forward the ticket to me!!….thanks to all your comments i deleted it and no virus infected anywhere! :) x

  108. DJ   |  January 10, 2012 at 2:56 pm

    All I have to say is that you people do a great act of charity by saving a lot of people a lot of heart ache! I received the email…was suspicious so I opened it with my IPAD instead of my home PC. I even opened the zip file but the file informed me that it could not be opened in DOS mode…it appeared to be a. EXE file…so I deleted all the files associated with the email…looked at you blog realized I should have looked up the possibility of this being a virus before ever opening it even on the IPAD. Thanks again !!!!

  109. jh   |  January 11, 2012 at 11:04 am

    The damn virus still going around, luckliy my spyware caught it. They should lock those people up with nothing better to do. Do some good for the world instead of infecting people’ s computer. What a waste of talent.

  110. scarrlitte   |  January 12, 2012 at 12:27 pm

    It IS still going around! My mom’s computer has a virus or something, we know that, and I’m going to run Malwarebytes and some other stuff on it this weekend. But last week, my sister and her husband, who live in Chicago, were leaving and had checked in for their American Airlines flight using our mom’s computer the night before. Later that same night, our mom received an official looking email regarding a flight she supposedly had booked for Chicago! Makes you wonder if someone is monitoring my mom’s computer activity! How was it that it knew to send an email about a flight to Chicago and not JFK or some other city??

  111. john   |  January 12, 2012 at 12:45 pm

    how do i restore my missing files?anyone

  112. Mark Berry   |  January 12, 2012 at 12:48 pm

    scarrlitte, good question. You’re the first to mention the possibility of a targeted campaign. It’s probably a coincidence, but post back if your scans turn up any nasties on her computer!

  113. Mark Berry   |  January 12, 2012 at 12:53 pm

    John, check the comments above dated 12/16/2011 and 1/16/2012 for suggestions. Use at your own risk. If you’re not comfortable with the procedures and especially if you don’t have a good backup of your files, find a professional to help.

  114. Pam Sanford   |  January 12, 2012 at 4:21 pm

    I also received this today. @ weeks ago we had a $400 charge on one of our debit cards in England so needless to say, it freaked me out thinking it has happened again. I got as far as the step before opening attachment and thought…wait a minute, better google this just in case. Thank God everyone posted, Thank You. Next step….sending it on to AA.

  115. Pam Sanford   |  January 12, 2012 at 4:25 pm

    Scarrlitt….very good question. I have not been on any airline websites but, I live in Tn and originally from Wa. state. If I were to visit, I would fly into Spokane, which is exactly where they said this ticket went to. Coincidence? How many here that have posted have the “same” coincidence?

  116. Borry   |  January 13, 2012 at 5:42 am

    I received last night on mail. but why my ticket more than very expensive :)

    Dear Customer,
    FLIGHT NUMBER A445
    ELECTRONIC 385366975
    DATE & TIME / JANUARY 30, 2012, 12:44 AM
    ARRIVING / Philadelphia
    TOTAL PRICE / 324.22 USD

    Please find your ticket attached.
    You can print your ticket.

    Thank you for using our airline company services.
    American Airlines.

  117. coco   |  January 13, 2012 at 8:18 am

    Got one this morning.
    Wow

  118. Ryan   |  January 13, 2012 at 1:51 pm

    I received one of these today (I’m off to Pittsburgh apparently). Was somewhat suspicious but as the attachment claimed to be a.MIM file rather than a .exe or .zip and such file extensions appeared to be safe according to fileinfo.com, I tried to open it. Luckily my PC wouldn’t open it without choosing a program to open it with. I assume, the senders could have changed the file type to disguise that it was a .exe or zip file?
    Have done a full system scan with Norton and found nothing so hopefully I have had a lucky escape.

  119. racjel   |  January 13, 2012 at 2:30 pm

    Received one this morning going to Anaheim. I opened thru my blackberry & couldn’t click the link. Thank goodness I kept it away from my computer. Thanks for all of the info :)

  120. Mark Berry   |  January 13, 2012 at 6:11 pm

    Ryan, looks like Winzip and even Outlook opens .mim (MIME) files. I bet if you had one of those installed, as many people do, it would have opened to reveal an executable, which if clicked would have installed the virus. Yes, a lucky escape! http://www.fileinfo.com/extension/mim

  121. Bo Cochran   |  January 15, 2012 at 3:35 am

    I just got this email, thankfully I googled it…

    Dear Customer,
    FLIGHT NUMBER A842BA
    ELECTRONIC 566801615
    DATE & TIME / JANUARY 26, 2012, 12:44 PM
    ARRIVING / Tacoma
    TOTAL PRICE / 389.35 USD

    Your bought ticket is attached to the letter as a scan document.
    You can print your ticket.

    Thank you
    American Airlines.

  122. kirsten   |  January 15, 2012 at 5:43 am

    Just got this email this morning. I was almost fooled…I had used credit card online last night…therefore shitting bricks when I saw this American Airlines email ticket confirmation this morning. Ya it has a ZIP file. Apparently a trojan.
    phew.
    I like sticking together. Thanks guys.
    Cheers
    kirsten

  123. Amber   |  January 15, 2012 at 7:48 pm

    It tricked me because I actually have a flight coming up on American Airlines. Luckily AVG caught it and warned me that it contained a trojan. I hate bastards that send viruses!

  124. Marlon   |  January 16, 2012 at 10:24 am

    Macs Rule!! just got this email today, opened the zip file with my Mac and found out it was an .exe, I started surfing google and found this, Thanks for the posts

  125. Shea   |  January 16, 2012 at 11:50 am

    I got this sneaky virus.
    I fixed it with the above post at the http://www.bleepingcomputers.com software fixes.
    Running ComboFix in safe mode, then Malwarebytes anti-malware, then ComboFix a second time to get all my icons and files back.
    Then run any and all other antivirus to clean it up.
    Your files are not erased, just all cometely hidden. Then another fake antivirus posts that you have critical errors and asks you to purchase to fix. Do not listen to this windows looking alert.
    Anyways scroll up and follow the directions. It took me hours to get this done due to the many scans needed and ComboFix is a slow process but it worked. Be patient with it.

  126. phill   |  January 16, 2012 at 11:51 am

    i always knew it was a virus but if not i might be flying to texas Lol

    Dear Customer,
    FLIGHT NUMBER AA522
    ELECTRONIC 510833740
    DATE & TIME / JANUARY 29, 2012, 12:44 PM
    ARRIVING / Grand Prairie
    TOTAL PRICE / 333.32 USD

    Your bought ticket is attached to the letter as a scan document.
    To use your ticket you should print it.

    Thank you
    American Airlines.

  127. Denise   |  January 16, 2012 at 1:05 pm

    Received the same email in my junkmail, but didn’t open the attachment. The flight referenced Bakersfield, but everything else was the same. It doesn’t even look like an email American Airlines would send.

  128. Cate   |  January 16, 2012 at 1:32 pm

    Thanks so much, I knew it had to be a scam, but like a lot of you thought someone had maybe stolen my credit card details.

    Content-Type: text/html;
    Content-Transfer-Encoding: 8bit

    Hello
    FLIGHT NUMBER AA452
    ELECTRONIC 825541721
    DATE & TIME / JANUARY 28, 2012, 12:44 PM
    ARRIVING / Arlington
    TOTAL PRICE / 399.32 USD

    Your bought ticket is attached to the letter as a scan document.
    You can print your ticket.

    Thank you
    American Airlines.

    I just checked the message source looks very similar.

    It passed my virus protection

  129. Ab   |  January 16, 2012 at 2:22 pm

    Hi! A friend opened the file and I restored the PC to a last restoration point but unfurtunately almost all files and progrmas were gone. I ran ubuntu from a USB stick and all the files were there, I could backup them and re-install windows. Was not the best solution but I could get my files back!!!!

  130. Ab   |  January 16, 2012 at 2:24 pm

    Please let me know if there is a way to fix it without re-isntalling thanks !!!

  131. Jeff   |  January 16, 2012 at 3:12 pm

    I clicked on this american airlines email on my mac, but did not open any attachments in it. Now, when I log into Safari, the top Yahoo topic is porn. Did this happen to anyone else? Also, any ideas on how to remove it from a mac?

  132. Mark Berry   |  January 16, 2012 at 3:38 pm

    Ab – there are several comments on removal above.

    Jeff – not a Mac user but it seems unlikely you got a real virus. Maybe it (or something else) changed your Safari home page or favorites? Also check your DNS settings in the Mac and in your router–seems like I’ve heard of viruses that can hijack the DNS so search results (for example) would return illegitimate sites. You should be using DNS IP addresses from your ISP, or maybe a reputable third party like OpenDNS.

  133. STEPHEN   |  January 16, 2012 at 4:22 pm

    CAN SOMEONE PLEASE GIVE ME A DETAIL STEP BY STEP TO REGAIN MY LOST FILES THANK YOU ANYTHING WOULD BE APPRECIATED

  134. Mark Berry   |  January 16, 2012 at 4:40 pm

    Several people have asked how to remove this virus, the main effect of which is apparently to hide (but not delete) files on your computer. Thanks to the several posters who have offered suggestions. For example, see these comments above:

    December 16, 2011 – Susan Green
    December 16, 2011 – Michael
    January 6, 2012 – Teresa
    January 16, 2012 – Shea

    Use these procedures at your own risk! If you’re not comfortable with the procedures and especially if you don’t have a good backup of your files, find a professional to help.

  135. Peter Buckley   |  January 17, 2012 at 1:34 am

    This is a pretty nice virus as it is fixable but it’s a little tricky to do. Firstly just so you all know I did not open the file, it was my mothers laptop who had clicked on it thinking it was a ticket for something booked recently, exactly the people the spam emails were after.

    To start I told my mum to turn off the computer urgently. In this case it was 10 minutes after infection so the virus had not run its full course. I then took out the hard drive from the laptop and connected it to my PC. This is to isolate the drive and stop the virus spreading or making the virus files read only. I then run Malwarebyte (a free malicious software scanner available by typing the name in google) on the hard drive to clear up the virus.

    Once it had destroyed the .exe file and all the software from running I put the hard drive back in the laptop. I then booted in safe mode (by pressing F8 before the windows splash screen and selecting safe mode) and performed a system restore to before the file was clicked.

    This then allowed the computer to boot up as normal but for some reason a load of files were hidden mainly the picture folder so what the virus was doing I can only take a guess. So right click on the picture folder and go to properties and un tick hide. Or you can make hidden files visible by going into tools/folder options and one of the tabs, I can’t remember off the top of my head, to find the files it has hidden.

    I then for good measure installed malwarebytes on the laptop and run it to destroy the last of the virus. The laptop is back up and running now with no loss of data and performance back to pre-virus.

    Instead of trying to take the hard drive out you could try a system restore in safe mode and then install malwarebytes to kill the files on your hard drive. I did it a long winded way as the photos on the laptop were mainly not backed up and I wanted to make sure they were not lost.

    Hope this can help some people.

  136. Jeff   |  January 17, 2012 at 3:24 am

    Thank you Mark!

  137. Grannie M   |  January 18, 2012 at 3:55 am

    Mine was to San Diego !

  138. Shira   |  January 18, 2012 at 2:54 pm

    Well, I got one as a PDF and my husband opened it. I had to do a complete System restore from my Windows CD. It bypassed both the antivirus on my email server (1and1) and AVG. It still isn’t showing after a scan by both AVG and Norton. It came as a PDF and from what I can gather, it’s a scam to make you sign up and pay for some sort of software that “fixes” all the “faults” it finds on your computer. It gives you a whole list of stuff that is supposedly dangerous (overheating CPU etc) and it’s all rubbish. It also makes it look like the boot sector has failed and the hard disk is unreadable, which is just silly as the operating system is still working! It’s the first time in 15 years that I have been caught out like this and I am fuming. I would castrate these malicious kiddies if I could get my hands on them.

  139. Tessa   |  January 19, 2012 at 9:06 am

    Thanks for info I recieved this today but going to corpis christie.

  140. Kali   |  January 19, 2012 at 10:45 am

    So…I have tried to repair my computer based on the suggestions above. My issue is that none of my programs show up when I go to “Start” and “All Programs.”

  141. Bob   |  January 19, 2012 at 11:45 am

    If you get rid of the infection by using Malwarebytes or your installed anti-virus program but your documents still don’t show up you can use the attrib command to unhide them.

    Open a command prompt by holding down the “Flag” key and pressing “R” or Start>Run and type cmd. Hit enter to get a command prompt. Type the following to unhide all your documents:

    (Windows 7) attrib -s -h -r c:/users/{username}/documents/*.* /s /d
    (Windows XP) attrib -s -h -r “c:/documents and settings/{username}/my documents/*.*” /s /d

    Substitute your user name for {username}. XP requires the quotes. Windows 7 will require quotes if your user name has a space in it.

    If your Windows 7 libraries are missing, go to the start globe and click on Computer. Drop down the Organize tab. Click on Folder and Search Options. Click on the View tab. Click Show hidden files, folders, and drives. Click OK. Navigate to C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Libraries. Right click on each library folder and left click on Properties. In the General tab, make sure the Hidden box is unchecked.

  142. Mark Berry   |  January 19, 2012 at 1:10 pm

    Thanks Bob, that should help some folks. I think I might recommend starting with just the -h parameter to remove the Hidden attribute:

    (Windows 7) attrib -h c:/users/{username}/documents/*.* /s /d
    (Windows XP) attrib -h “c:/documents and settings/{username}/my documents/*.*” /s /d

    Removing the System (-s) and Read-Only (-r) attributes (e.g. from thumbs.db files) might mess with certain functionality. On the other hand, if the virus sets *every* file to System and Read-Only, you won’t have much choice but to remove those attributes as well.

  143. J. Hall   |  January 20, 2012 at 4:55 am

    I got this email today again, I got it 2 weeks ago but luckily Kaspersky picked it up as a virus.
    I wish I knew who sent these as I would gladly shove it right up there arses!!!

  144. Kiel   |  January 20, 2012 at 7:47 am

    This one is still out there. Got through my Google yesterday.

  145. Steve   |  January 20, 2012 at 12:29 pm

    My wife opened this darn thing yesterday. I am by no means a computer guy, but I’ll try the fixes mentioned on here. It appears that my hard drive is deleted – the screen is blank except for the recycle bin, and no files are visible. Hope it’s true that my hard drive isn’t deleted, but just “looks” that way.

    STeve

  146. Hubert   |  January 20, 2012 at 3:27 pm

    Hi Mark Berry! Thank you so much for the warning! I am writing from Germany, I received the mail also on January 20, 2012, my flight went to Shreveport, Louisiana. The attached file was simply named “Ticket.zip”. Thanks to you, I didn’t open it! Best regards, Hubert

  147. Mark Berry   |  January 20, 2012 at 3:39 pm

    Hubert, freut mich, wenn die Warnung auch in fernem Deutschland “ankommt”! Alles Gute – Mark

  148. Louise   |  January 20, 2012 at 9:08 pm

    I received this in an email tonight, but because I wasn’t going
    on a trip I checked my bank account and then the web. I flagged
    this spam and never tried to open it on my iPad.

    Dear Customer,
    FLIGHT NUMBER AA429
    ELECTRONIC 627696775
    DATE & TIME / JANUARY 25, 2012, 11:52 PM
    ARRIVING / Pittsburgh
    TOTAL PRICE / 224.44 USD

    Please find your ticket attached.
    You can print your ticket.

    Thank you for your attention.
    American Airlines.

  149. Jacquie   |  January 22, 2012 at 3:39 am

    Hi the same thing happened to me and I opened in error. Everything seems all right and everything appears to be there and I have full access. I don’t know if anything is missing. I wlish I had looked this up on the net before opening it. I will run the Malwarebyte program suggested.

  150. HC   |  January 22, 2012 at 7:02 am

    JUst got the email… be careful with those stupid dumb scammers!!

    Hello
    FLIGHT NUMBER A445
    ELECTRONIC 767259715
    DATE & TIME / JANUARY 23, 2012, 11:22 PM
    ARRIVING / Newark
    TOTAL PRICE / 382.34 USD

    Please find your ticket attached.
    To use your ticket you should print it.

    Thank you
    American Airlines.

  151. person a   |  January 22, 2012 at 8:33 pm

    just received today

  152. Glenda   |  January 23, 2012 at 1:05 pm

    Thanks so much for everyones help. having my identity stolen several times I stupidly opened this one thinking someone had done it again. I NEVER open the darn things. Anyway I quickly realised that the files were only hidden luckily as I had just spent all weekend doing a tax return.But still cant get the main documents/photos etc icons to be in anything but feint type although I have the actual inserts in normal type with nothing hidden/ Any ideas?

  153. Jill & Keith Scott   |  January 23, 2012 at 1:07 pm

    My husband unfortunately opened the airline ticket attachment in AOL from his android cell phone. What should we do next?

    Thank you everyone else who notified the public. I of course google’d the phrase “airline ticket virus” but was too late for my brilliant husband.

  154. Mark Berry   |  January 23, 2012 at 1:27 pm

    Glenda – maybe your files are still set as System or Read Only. Right-click on a file and check its attributes. See Bob’s and my comments on 1/19 re. changing attributes.

    Jill – see my 12/30 comment re. Android.

  155. Glenda   |  January 23, 2012 at 1:44 pm

    thanks Mark, For example I have done that for all my documents and unchecked all the secret and read only boxes all all the documents are in normal type but it is the folder that is in light type! Still just so pleased that I have got this far!

  156. Mark Berry   |  January 23, 2012 at 2:31 pm

    Glenda – folders can have attributes, just like files. You may have to use the command prompt and the ATTRIB command to change all folder attributes. Also be sure to run Malwarebytes and/or other anti-virus programs to make sure you get rid of the actual virus.

  157. Elizabeth   |  January 23, 2012 at 4:00 pm

    Well… I got it… and opened it… and got screwed. I had no idea this dang thing was out there. Our computer is now at the shop being fixed. What a shame!

    Is this the virus that is supposed to allow access into your bank accounts? I heard that there is a virus out there right now that comes from the “FDIC” which, if opened allows these jerks to drain your accounts.

    MAKE IT STOP!

  158. Bob   |  January 24, 2012 at 9:31 am

    Not sure what is going on…I got it also and like a dummy I opened it. So I followed the leads from above and am trying to run the stuff from “bleeping computers” but it gets to the scan and runs for awhile ( like 20 mins ) and then it appears to stop..and just sits, won’t continue just sit’s and sit’s…
    Has anyone else had this problem or know of a solution…I would really like to get this going if possible….
    I ran Malwarebytes already and it only found (1) bad file…I found “tickets.exe” and removed it from win/prefecth..didn’t help…so now I’m in limbo..any help would be greatly appreciated.

  159. Mark Berry   |  January 24, 2012 at 10:23 am

    Bob, see Shea’s comment on 1/16. Sounds like the scans may take hours.

  160. amer   |  January 24, 2012 at 3:22 pm

    i am saudi

    I opened this email, unfortunately,

    Download the attached file

    And opened the program exe

    Delete my files and programmatic and recovery

    my laptop is sony vaio
    I worked a system restore my files and I came back but was hidden

    And then worked Recovery of the system by pressing the F-8

    Woe to those who made ​​this virus

    thank you mr. mark berry

    and
    I am sorry for my bad English

    bye ^___^

  161. jane k   |  January 24, 2012 at 3:34 pm

    Unfortunately i got an email to fort worth,Tx.Thank you so much for suggestions posted but my question is if anyone can answer this please. So after the pc crashes and all files lost,sadly,is that all that happens or should i be concerned in that the crashing of the pc is a getway to any sites i have accessed on the pc like banking sites,loan sites etc that they scammers would be able to retrieve and use my information? like for example if i go online to pay a bill every month,use credit card to make that payment. Would they have access to that including passwords?thank you in advance

  162. Chris   |  January 24, 2012 at 7:59 pm

    I just received the American Airlines email today (24th January 2011). Apparently I’m flying to Ontario.

  163. Julie   |  January 24, 2012 at 11:13 pm

    So I got this email today and I opened it because I was going to new york but changed it to miami this past few dates so off course I opened it. So I turned it off then back on and pressed F8, chose safe mode in networking, control panel and had the back up. The thing is that I have two hard drives and the one with my important documents and it seems that they are there because it shows how many space is free but I can see them when I go inside the drive. I tried putting the antivirus and it seems as if it scans all the documents. I don’t have a back up of this disc drive so I can’t go back to its original phase as the other one. Can anyone please help me out?! Write to me to [email removed] I will acknowledge your help, thank you

  164. jason   |  January 25, 2012 at 4:56 am

    i own my own computer repair company and i have a few tips for people. these tips are for windows 7 but can be adapted to other versions. im gettin about a call a day about this virus and this has been going on for a week. these tips are for getting your files off your computer before you start playing around

    1. your files are not lost they are hidden same with your start menu. shut down your computer and start it in safe mode by hitting f8 and start in safe mode with networking
    2. once windows is open in safe mode right click the task bar – then properties – then the middle tab “start menu”
    3. once you are in the start menu tab click the “customize” button
    4. now click use default settings or manually change them

    now when clicking on the start menu you can use my computer again

    5. click on my computer
    6. click on organize – folder and search options
    7. click view tab
    8. click the radio button that says show hidden files folders and drivers and then ok
    9. now when looking at your c drive right click the users folder – properties
    10. uncheck the hidden box and when prompted chose to apply the setting to all sub folders

    yeay you can see your files

    11. pop in a flash drive and copy your documents just watch out for the app data that might be hiding the virus in some sub directories

    beyond this every variant of this is a little different and you can pick your weapon of choice to try to remove it

  165. lauren   |  January 25, 2012 at 8:48 am

    hi there, have just recieved an email myself from american airlines saying i have bought a flight for 211 usd to houston! fab as im terrified of flying so pretty sure i wouldn’t have bought it myself! really glad to see that there are people that help identify stuff like this as i was really worried but googled it and found you lot! do not open it and let all your friends and family know not to open anything similar too.

  166. Mark Berry   |  January 25, 2012 at 10:02 am

    Julie – I removed your email address from your comment for your own protection. (Publishing your email address online makes it easy for people to send you spam and viruses.) Jason’s comment right below yours may help you at least get a backup of your files. If you are still unsuccessful, you may need to contact a computer professional in your area for help.

  167. Julie   |  January 25, 2012 at 10:48 pm

    Thanks Jason your instructions worked perfectly! I have my documents right back YEAY!

    Mark, thanks, even though that email can only open in my blackberry ;) thanks anyway! This blog helped me with my problems! Woohoooooo!!!!

    :D

  168. JANINE(France)   |  January 27, 2012 at 5:29 am

    j’ai aussi reçu ce mail de American airlines pour une destination vers Huntsville.
    Je l’ai ouvert , parce que le vol etait le 19.janvier et que c’est la dâte de mon anniversaire.
    Alors simple curiosité.
    J’ai du faire appel à un professionnel pour essayer de réparer les dégats.
    Ca va à peu près, sauf que je n’ai plus mes photos, ni fond d’ecran.
    Plus d’autres trucs que je n’ai pas retrouvé.

  169. David   |  January 27, 2012 at 2:27 pm

    Just got the email today. I didn’t open it but it is filtering through the free email accounts on mail.com now. They have pretty good filtering for spam, but this one went directly to my inbox.
    Hopefully they send the writer of this virus to prison soon if he’s not already there…

    “American Airlines”
    Attachment (1)

    Ticket.zip

    Hello

    FLIGHT NUMBER AB712
    ELECTRONIC 6489864
    DATE & TIME / JANUARY 26, 2012, 09:21 PM
    ARRIVING / Oxnard
    TOTAL PRICE / 177.11 USD

    Your bought ticket is attached to the letter as a scan document.
    You can print your ticket.

    Thank you for using our airline company services.
    American Airlines.

  170. Nicole   |  January 28, 2012 at 9:17 am

    Follow Susan Green’s instructions. It took me about 3 hours total to correct my computer, and I found that I saved nearly 200 dolllars (I live in NYC area) that I would have needed for a professional to fix my computer. I decided to reprint them just in case you cannot find them….
    Susan Green | December 16, 2011 at 3:33 pm
    Just helped a co-worker with this. It appeared he lost everything but it was all hidden…
    Here’s what I did to restore his PC:
    Closed all open windows
    Reboot in safe mode with networking
    Because we couldn’t see IE – in search – put in Run and then iexplore.exe
    Went to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and downloaded combofix – print all instructions first.
    Ran combofix – after it was done the icons returned to the desktop
    Went to: http://www.bleepingcomputer.com/virus-removal/remove-system-fix
    Started with #7 and Downloaded malwarebites and ran it – found 3 items
    Continued with #19 to unhide the icons
    Rebooted as normal and PC was back to pre-virus state.

    Good luck!

  171. Mark Berry   |  January 28, 2012 at 11:03 am

    Heads up, folks. A very similar scam, this time pretending to be from FedEx:

    http://www.mcbsys.com/blog/2012/01/new-fedex-virus-email/

  172. Owen   |  January 30, 2012 at 10:38 am

    New definitions are starting to catch it. Eset caught it on mine pretty early on.

  173. Mark Berry   |  January 30, 2012 at 10:49 am

    Owen, are you referring to the airline virus or the FedEx virus? Updated definitions started catching the airline one within a few days in November but obviously a lot of people got it later. Maybe they swap out the virus from time to time. It seems it’s not hard to come up with a virus that gets past scanners for a few days.

  174. Cam   |  February 03, 2012 at 4:42 pm

    I just got the American Airlines email in my junk folder. Knew it couldn’t be good so I’m sooo glad I googled before I opened it!!

  175. Brandon   |  February 04, 2012 at 7:46 am

    Does it affect you if you open the e-mail? I did not open the attachment.

  176. Mark Berry   |  February 04, 2012 at 9:56 am

    Brandon, no, it should only affect you if you open the zip attachment and open (run) the file inside the attachment.

  177. PansyAston   |  February 05, 2012 at 4:22 am

    Just received it! Thank heavens I did no more than open the mail! The last United trojan cost me big bucks to remove!!!

  178. Brian   |  February 05, 2012 at 1:58 pm

    Got one today. The thing is, I’m flying with AA in a week’s time and nearly opened it. Then I said whoaa, my ticket is electronic, I shouldn’t be getting any printout. I read it carefully and it said I’m going to Dallas. Ha, nice try! I ain’t going anywhere near there.

  179. yo   |  February 08, 2012 at 10:19 am

    I recived this mail today 8 february, 2012

    Dear Customer,

    FLIGHT NUMBER AA430
    ELECTRONIC 9756475
    DATE & TIME / FEBRUARY 18, 2012, 11:21 PM
    ARRIVING / St.Louis
    TOTAL PRICE / 345.11 USD

    Your bought ticket is attached to the letter as a scan document.
    To use your ticket you should print it.

    Thank you for your attention.
    American Airlines.

  180. Mark Berry   |  February 09, 2012 at 5:59 pm

    Yawn, got another one of these today, heading for Lexington.

    The disturbing thing is that again it has bypassed my anti-virus. It must be really easy to modify viruses to bypass AV now. This one is currently recognized by 8 of 43 engines. Seems like Sophos is often earlier than others in catching these…

  181. paul   |  February 10, 2012 at 10:02 am

    In Ireland now I got the airline Virus today 10/2/12 as I had just purchase two flights thinking it was from the airlines confirmig the flights.It deleted everything ,I tried all of the above un hiding safe mode etc etc looks lie a years work down the tubes.

  182. paul   |  February 10, 2012 at 10:08 am

    excuse the spelling mistakes so bl..dy angry

  183. Mark Berry   |  February 10, 2012 at 10:32 am

    Paul, don’t give up on recovering your data just yet. If you’re not having any luck yourself, ask friends/associates until you find a good computer consultant. Let us know how it goes.

  184. Alisha   |  February 10, 2012 at 1:51 pm

    My poor parents got it today, I’m glad they called me before trying to open up anything, although, they thought I had been cheeky and booked a flight on their credit card!

    Dear Customer,

    FLIGHT NUMBER AA888
    ELECTRONIC 9294839
    DATE & TIME / FEBRUARY 20, 2012, 07:25 AM
    ARRIVING / Grand Prairie
    TOTAL PRICE / 211.22 USD

    Your bought ticket is attached to the letter as a scan document.
    To use your ticket you should print it.

    Thank you for using our airline company services.
    AA customer services.

  185. Marianna   |  February 11, 2012 at 10:47 am

    I got the same email and my computer completly crashed… It’s asking for a credit card number. Any suggestions to get my files back or do I need to purchase a new computer??

  186. Mark Berry   |  February 11, 2012 at 10:54 am

    Marianna, under no circumstances should you give it your CC number. There are lots of suggestions on recovering your computer–see the “Update” in the original post, above, to find relevant comments. If you’re not comfortable doing it yourself, find a reputable computer consultant.

  187. jen venardos   |  February 11, 2012 at 1:35 pm

    Just got this one today, so its still doing the rounds. Thanks so much to everyone for the info here…it always helps to be able to google e.g ‘American Airlines Email Scam’ to then find all the information you need to know! Cheers! Jen in Brisbane Australia!

  188. Jc   |  February 12, 2012 at 7:29 am

    I unfortunately traveling and the date just happened to match my departure date, so I opened it and it did as stated above. I immediately found my “system restore” and restored my computer to an earlier date. It took a very long time but it worked. I was so scared that I had lost everything. I wish anyone who is unfortunate enough to open this file the best of luck and I hope this is helpful to them.

  189. Sweeeny   |  February 12, 2012 at 3:47 pm

    I just got this today – I’m surprised the virus checkers are not picking his up.

  190. Sandra   |  February 13, 2012 at 3:35 am

    Got one today to Miami for Feb 19
    My husband travels a lot and he was planning a trip for our anniversary this year but I was very suspicious with the date being so close so didn’t open it.
    Went on the AA site but didn’t see anything about the hoax.
    It got through all our security on my laptop so I’m annoyed about that. what’s the point of the security when I’m getting this and loads of other stuff this last few weeks.

  191. Chris   |  February 13, 2012 at 10:31 am

    Got this one today… Thanks to this post I saved an ear full from my wife…. : ) I thank you all very,very, much….!!!! ; )

    Dear Customer,

    FLIGHT NUMBER AA645
    ELECTRONIC 9354481
    DATE & TIME / FEBRUARY 22, 2012, 11:21 PM
    ARRIVING / Aurora
    TOTAL PRICE / 411.11 USD

    Your bought ticket is attached to the letter as a scan document.
    You can print your ticket.

    Thank you
    American Airlines.

  192. Mark R   |  February 14, 2012 at 2:45 pm

    As I was just flying with AA I opened my ticket attachment and this scam got me last Thursday and trashed all my files. After a few moments of horrible chaos a screen appeared offering to stop everything if I gave my credit card info. I did not do this but stopped it with System Restore but it was too late. I got to spend all day Friday rebuilding my system, files, etc. Luckily I had just backed everything up onto a DVD a few weeks before so liitle was lost but time.

    I hope the jerks behind this get what is coming to them in this life or the next.

  193. Eliot   |  February 15, 2012 at 6:33 am

    A customer just got this virus, and now All she gets is a black screen saying missing Operating System. The files are there, because when I booted to Hirem’s CD, I could see them. The Windows 7 CD could not fix the startup issue, could not even see the operating system.
    Could this virus have changed the active partition?
    If so, how does one change it back?
    Thanks

  194. Mark Berry   |  February 15, 2012 at 8:47 am

    Eliot, this is the first I’ve heard of boot issues but who knows what virus these guys are hanging on this email. You might have a rootkit, or maybe it changes the type of partition so Windows can’t see it. If you’re using Hirem, I assume you’re pretty technically savvy. If you must get the computer back to its previous state, I believe the folks at http://www.bleepingcomputer.com can help you diagnose and repair it. But it might be faster to just boot from Hirem, copy the user files to an external drive, wipe the drive including boot sectors (maybe Boot & Nuke), and re-install Windows.

  195. Jorge. Bautista   |  February 24, 2012 at 1:29 pm

    I have open the same file what is really weird it’s that my two computers and two I phones are been remotemonitoring they went into my apartment and took the serial numbers of my two laptops I been trying a lot of things I got the ip addresses but the more I try to fix it I think the more they learn.. What can I do???

  196. betty a   |  March 01, 2012 at 12:38 am

    so, if this has been going on for so long, how come i got it tonight in my inbox – did not open of course – (but always worried about mom if she thinks her credit card was hacked.) My trip was to Aurora. I don;t even know where that is. fortunately my cc’s are maxed out so no worry for me. What I want to know is if this has been going on for months, why is it still getting past antivirus’s. I have avg. no virus found.

    that’s scarey. looks like if they put their minds to something that doesn’t matter, they can accomplish anything. Too bad they don’t just become math geniuses and do something productive for the world.

  197. Lisa   |  March 01, 2012 at 7:39 am

    I got the same email today only with a March 7 date and the city “Columbus.” Thanks.

  198. Mark Berry   |  March 01, 2012 at 9:07 am

    betty a – my hunch is that they are changing the virus so it continues to gets past anti-virus programs.

  199. Mario   |  March 17, 2012 at 12:43 am

    Also received an email (16 March 2012), coming from “American Airlines” (report-nr162 @ aa.com)”… I immediately suspected a virus, as I never ordered a ticket with AA, a confirmation mail would normally be sent with the full name of the passenger (not just “Dear Customer), there’s NO departure field and the attached file name is just a little too simple (“Ticket_American_Airlines_pdf.zip”). The whole email actually looks too simple to me (no html used, no pictures)…

    This was the full text:

    Dear Customer,

    FLIGHT NUMBER AS1011

    ELECTRONIC 6191485

    DATE & TIME / MARCH 29, 2012, 10:36 PM

    ARRIVING / Milwaukee

    TOTAL PRICE / 232.32USD

    Please find your ticket attached.

    You can print your ticket.

    Thank you

    American Airlines.

    Attached file: Ticket_American_Airlines_pdf.zip

    Glad I was able to understand the danger of this mail and to find more info here on the website…

  200. maria   |  March 17, 2012 at 2:33 am

    Having recently retuned from the U.S (i live in the UK) I recieved this email yesterday.
    Thankfully i didn’t open it. I googled it first & checked AA’s airline timetable:

    Dear Customer,

    FLIGHT NUMBER AA8019
    ELECTRONIC 3761962
    DATE & TIME / MARCH 20, 2012, 10:55 AM
    ARRIVING / Oceanside
    TOTAL PRICE / 248.48USD

  201. monica   |  March 19, 2012 at 1:24 am

    I received this email today:

    Hello

    FLIGHT NUMBER AA3928
    ELECTRONIC 8828759
    DATE & TIME / MARCH 23, 2012, 10:33 PM
    ARRIVING / New Orleans
    TOTAL PRICE / 237.37USD

    Your ticket is attached.
    To use your ticket you should print it.

    Thank you for your attention.
    American Airlines.

  202. Lorraine   |  March 22, 2012 at 4:06 pm

    I’ve just received this same American Airlines e-ticket and as it didn’t have a departure airport, I was suspicious and deleted it.Difficult to go on this flight if you’ve got nowhere to fly from!
    The ticket was for somewhere I’d never heard of. Shame I didn’t get New York or Chicago! Then I googled it ( wrong way round really ) and found this, It’s good to know there are good guys out there giving the right advice which is, delete it! I’m so glad I did.

  203. gregg   |  March 30, 2012 at 11:48 am

    my wife just received similar email: zip file attached. Her “free” ticket was to Amarillo, TX?! Not too suspicious, lol.
    I feel for everyone who has had problems from this.
    Stay vigilant people.
    Thanks for the info, OP.

  204. New USPS Shipment Virus Email | MCB Systems   |  April 19, 2012 at 1:00 pm

    […] a new variation on the airline ticket virus email that I reported on last November. An email supposedly from the United States Postal Service says […]

  205. Caroline   |  June 09, 2012 at 7:58 pm

    Dear Customer,

    TICKET NUMBER / 1 193 1090373421 1
    SEAT / 35A/ZONE 2
    DATE / TIME 22 JUNE, 2012, 10:29 PM
    ARRIVING / Tampa
    FORM OF PAYMENT / CC
    TOTAL PRICE / 115.15 USD
    REF / EK9330 ST / OK
    BAG / 1PC

    Your ticket is attached.
    To use your ticket you should print it.

    Thank you
    American Airlines.

  206. eric   |  June 10, 2012 at 4:27 am

    got it today for a flight tomorrow to riverside, where is riverside? since i’m poor and don’t fly, i just checked to see what the attachment was and it was a zip file so i quickly deleted it, and seleted it out of my trash box too.

  207. ARMANDO DIAZ   |  June 10, 2012 at 8:58 am

    Dear Customer,

    TICKET / 3 303 1387394236 3
    SEAT / 37A/ZONE 1
    DATE / TIME 17 JUNE, 2012, 10:31 PM
    TODAY JUN 10, 2012 I HAVE RECEIVED THE VIRUS WITH ATTACHMENT, SO I LIVE IN MEXICO AND NEVER BEEN IN CLEAVELAD…SO THE JACKER NEVER MIND IN THIS,….

    ARRIVING / Cleveland
    FORM OF PAYMENT / CC
    TOTAL PRICE / 371.71 USD
    REF / KE1431 ST / OK
    BAG / 2PC

    Your bought ticket is attached to the letter as a scan document.
    To use your ticket you should print it.

  208. Tara   |  June 13, 2012 at 3:42 pm

    Dear Customer,

    FLIGHT NUMBER A59-264
    DATE & TIME / JUNE 22, 2012, 10:117 PM
    ARRIVING: NEW YORK JFK
    TOTAL PRICE : 422.34 USD

    Please download and print out your ticket here:
    DOWNLOAD

    Amercian Airlines{br[1-5]}

  209. Jason M   |  June 14, 2012 at 10:39 am

    Well I got hit, stupidly got fooled. opened the attachemnt (winzip) and insidde were a folder and a adobe? read file. I clicked the read file and it just disapeared, nothing happened, i clicked the file and there were multiple sub folders with gibberish in it. I ran avg and nothing, i ran my spyware program (i believe its called spyzilla) and nothing, No folders disapearing, Ill go home and see if i can get my mallibytes program to work but i wonder if i dodged a bullet?

  210. Mark Berry   |  June 14, 2012 at 11:08 am

    Jason, you could well be infected even if the programs aren’t picking it up yet. Update your anti-virus program every day and scan every day for at least a week. I use Microsoft Security Essentials for real-time protection and automatic daily scanning, and I additionally run manual scans with Malware Bytes when I am worried about an infection.

  211. Jack Albritton   |  June 21, 2012 at 7:07 am

    My wife ordered a plane ticket and I opened the ticket (wrong airline) and got the virus. It disables my Microsoft Security Essentials. I tried to restore to earlier version but it will not let me. I loaded my Windows 7 disc before I left for work this morning and loaded my Microsoft Security Essentials and let it do a full scan. I hope I have good news when I get home this after noon.

    Jack

  212. Jason M   |  June 21, 2012 at 10:26 am

    I updated my AVG, Stop Zilla, and loaded malawarebytes. I ran all 3. interestingly AVG didnt catch anything but stopzilla found about 4 trojans and malawarebytes found another 3. Deleted them all, reloaded windows, ran both programs again and came back clean. I waited a few days and ran again with the same results so i think I took care of it. Deffently a tricky bastard and I learned a lesson.

  213. jon   |  October 01, 2012 at 7:30 pm

    I got the email today.
    Dear Customer,

    TICKET NUMBER / 3 596 1224304576 3
    SEAT / 73E/ZONE 1
    DATE / TIME 28 OCTOBER, 2012, 10:59 AM
    ARRIVING / New Orleans
    FORM OF PAYMENT / CC
    TOTAL PRICE / 337.37 USD
    REF / OE7710 ST / OK
    BAG / 4PC

    Your ticket is attached.
    To use your ticket you should print it.

    Thank you for your attention.
    American Airlines.
    The sender was, [removed]
    I didn’t open the .exe file named: AA_TICKET.ZIP

  214. Jim   |  October 08, 2012 at 5:55 pm

    I got the email today:

    Dear Customer,

    E-TICKET / 3 950 1259853817 3
    SEAT / 37A/ZONE 3
    DATE / TIME 22 OCTOBER, 2012, 10:40 PM
    ARRIVING / Yonkers
    FORM OF PAYMENT / CC
    TOTAL PRICE / 355.55 USD
    REF / EF4440 ST / OK
    BAG / 3PC

    Please find your ticket attached.
    To use your ticket you should print it.

    Thank you
    American Airlines.

  215. Valerie   |  November 09, 2012 at 1:42 pm

    I received this today, it bypassed all my security. It just seemed to strange to open it, googled AA email spam and found this confirmation, thanks!
    Dear Customer,

    TICKET / 1 666 1313956328 1
    SEAT / 49F/ZONE 2
    DATE / TIME 26, DECEMBER, 2012, 10:26 PM
    ARRIVING / Lexington
    FORM OF PAYMENT / CC
    TOTAL PRICE / 184.84 USD
    REF / OE9006 ST / OK
    BAG / 5PC

    Your ticket is attached.
    To use your ticket you should print it.

    Thank you
    American Airlines.

  216. April   |  November 10, 2012 at 7:50 am

    Got this today. Knew it was fishy, in particular when the date of flight has already passed.
    It’s Nov. 10, 2012 today and the info states June 24, 2012. Had to google it to make sure.
    Thanks!

    To open archive pleace use this password: AATicket Dear Customer,

    TICKET / 2 298 1044938503 2
    SEAT / 10A/ZONE 2
    DATE / TIME 24 JUNE, 2012, 10:32 AM
    ARRIVING / Colorado Springs
    FORM OF PAYMENT / CC
    TOTAL PRICE / 262.62 USD
    REF / KE4854 ST / OK
    BAG / 5PC

    Your bought ticket is attached.
    You can print your ticket.

    To open archive please use this password: ticket6

  217. Jackie   |  December 10, 2013 at 11:35 am

    Recieved an email from American Airlines yesterday and one from United today, both saying my eticket was attached. Luckily it went to my spam account and I did not open it. My husband checked all our credit card and checking accounts on another computer to make sure they had not been charged by somebody else. These even had the Norton check mark on them so you would think they had been scanned and approved by Norton.

  218. Grant   |  July 17, 2014 at 9:50 am

    This is still making the rounds as my spouse received one pretending to be an Air Canada source. Because we travel with them quite a bit I noticed a couple of inconsistencies from their normal confirmation emails. Interesting though, to add legitimacy to the whole thing the link to Air Canada’s Contact Us actually does take you to the legit page. Anyway, I’ve pasted the text of the email below for information.

    ReplyTo: tickets@aircanada.com

    Subject: Your Order #38810882 – PROCESSED

    Dear client,

    Your order has been successfully processed and your credit card has been charged.

    E-TICKET # QB38810882CA
    FLIGHT # 479018
    DATE & TIME / JUL 19th, 2014, 14:30
    DEPARTING / Toronto
    TOTAL PRICE / 895.00 CAD

    The ticket and the payment confirmation invoice can be viewed online :
    Link removed

    To download an electronic copy of the documents, for your own records, visit :
    Link removed

    For more information regarding your order, contact us by visiting : http://www.aircanada.com/en/customercare/index.html

    Thank you for choosing Air Canada

Leave a Reply





Notify me of followup comments via e-mail. You can also subscribe without commenting.