New Airline Ticket Virus Email
Mark Berry November 3, 2011
Today I received an email supposedly from American Airlines with an Zip file attachment:
If you open the zip file, you’ll see what looks like a Word document:
However if you go to Windows Explorer and uncheck “Hide extensions of known file types,” you’ll see that it is actually an executable file:
Don’t run it! That means don’t double-click on it to “open” it. It’s got to be a virus.
The scary thing is that this virus was delivered directly to my Outlook inbox. It got past Forefront security on Office 365, and my up-to-date VIPRE anti-virus does not flag it as a virus. When I submitted it to www.virustotal.com, only 1 of 42 engines currently recognized it as a virus.
As usual: if you don’t recognize the sender, or are not expecting the email, don’t open the attachment!
Update January 16 and 19, 2012: Several people have asked how to remove this virus, the main effect of which is apparently to hide (but not delete) files on your computer. Thanks to the several posters who have offered suggestions. For example, see these comments below:
- December 16, 2011 – Susan Green
- December 16, 2011 – Michael
- January 6, 2012 – Teresa
- January 16, 2012 – Shea
- January 19, 2012 – Bob
- January 19, 2012 – Mark
Use these procedures at your own risk! If you’re not comfortable with the procedures and especially if you don’t have a good backup of your files, find a professional to help.
Subscribe to the MCB User Blog
Thank you very much for posting this! I really appreciate it – it saved me from being caught with it.
Very good post!! Just had the email myself, only flying to New York JFK this time. The date was also the 9th of december. Again, thanks very much!!
I just recieved a simuliar email, luckily I decided to have a look on Google before opening it!
I also received one of these today. The attachment was disguised as a PDF. I actually double-clicked it (after it passed anti-virus scan), then realised what I’d done, and so I quickly crashed the computer to prevent it unpacking. No ill effects so far, but a close call. In my case, it got past BitDefender, even when I scanned the zip file.
I hate these people.
I just got the same thing…
Notification,
FLIGHT NUMBER A781BN
ELECTRONIC 763738965
DATE & TIME / DECEMBER 08, 2011, 11:53 PM
ARRIVING / NEW YORK JFK
TOTAL PRICE / 411.12 USD
Please find your ticket attached.
To use your ticket you should print it.
Thank you
American Airlines.
With a zip attachment. I agree it has to be a virus.
Interesting… Gmail quarantined it…
The message “Your Order##226836253″ from American Airlines (manager.sn.29595@aa.com) contained a virus or a suspicious attachment. It was therefore not fetched from your account and has been left on the server.
If you wish to write to American, just click reply and send American a message.
Thank you,
The Gmail Team
By now the anti-virus engines should be trapping the one that started November 3. However I received a new variant, also bypassing multiple checks, about ten days ago. Stay vigilant!
Hi I got the same e-mail in my junk box today, thanks for posting comments. Its good to see whats out there
June
Message Body
Cheers for this, thought it would be a virus but always nice to know for sure
)
Also just got one…… Shame its a virus as could really do with a holiday
Notification,
FLIGHT NUMBER A781BN
ELECTRONIC 557662963
DATE & TIME / DECEMBER 14, 2011, 10:45 PM
ARRIVING / NEW YORK JFK
TOTAL PRICE / 258.23 USD
Your bought ticket is attached to the letter as a scan document.
To use your ticket you should print it.
Thank you for using our airline company services.
American Airlines.
Anyone have any suggestions on how to clean it once it has been opened and therefore infected the machine?
I also rec’d this today 6th Dec but thought I would check it out before I opened it. So thanks to everyone who has posted this info.
Notice,
FLIGHT NUMBER AA984
ELECTRONIC 600619277
DATE & TIME / DECEMBER 16, 2011, 10:45 PM
ARRIVING / NEW YORK JFK
TOTAL PRICE / 321.56 USD
Your bought ticket is attached to the letter as a scan document.
To use your ticket you should print it.
Got this today as i never book american airlines and was no departing airport i scanned it with mcaffe and nothing found so i and a little look and saw it was a exe file so decided to check online 1st as was wary and found this page arrived in my aol email box that is meant to be protected by aol and mcaffe
It got through my aol account 2 y would someone
Open a flight email when they havnt booked one?
Does anyone have any ideas in how to sort things- I opened the file by mistake-or is it a lost cause – many thanks
I got this today. And because I work with travel all the time (and have an outstanding JFK flight) and was in a hurry, I stupidly opened it. IT ERASED EVERYTHING ON MY COMPUTER excect AOL and my wallpaper.
I know this was stupid – have a MAC and never got a file like this so far. S I tried to open (and could not because it was a doxcs file and left it). Will something happen. How can I check?
i don’t know if anyone knows how to obtain a more definative location
IP of sender of e-mail virus is 142.166.86.98
located in Fredericton, New Brunswick, CANADA
I just recieved one as well. I’ve got Avast! free virus scan and mine did see it as a dangerous file.
Thanks for the posts made me sure not to open it
I just got this myself as well in my outbox via Hotmail
=========================================================================
Notification,
FLIGHT NUMBER AA983
ELECTRONIC 744412175
DATE & TIME / DECEMBER 14, 2011, 10:45 PM
ARRIVING / NEW YORK JFK
TOTAL PRICE / 283.30 USD
Your bought ticket is attached to the letter as a scan document.
To use your ticket you should print it.
Thank you
American Airlines.
=========================================================================
Thanks so much for all the posts – I was just about the click it open thinking one of my staff team had been using the credit card but thought I better check.
Thanks saved me too
My girlfirned has just opened this email too. She has lost all of her university work from the last two years. No back up. A tech guy is trying to restore it at the moment. Has anyone who opened the file managed to get their info back?
She has just got back from NY on holiday so why wouldnt she open the file!?
Gutted.
I just opened this. It got through my aol account, and I opened it because my mom doesn’t use her email and when she buys tickets and stuff she uses my account. My anti-virus didn’t catch it. I opened it. Everything I had was erased. I am trying to see if any techs can restore it. Anyone have any luck?
Good job I thought to have a look on google before opening the email in my junk folder!! I thought that somebody had got my credit card and was having a good time at my expense.
Email was as below.
Notification,
FLIGHT NUMBER 980
ELECTRONIC 753197060
DATE & TIME / DECEMBER 13, 2011, 12:54 PM
ARRIVING / NEW YORK JFK
TOTAL PRICE / 214.34 USD
Your bought ticket is attached to the letter as a scan document.
You can print your ticket.
Thank you for using our airline company services.
American Airlines.
THANKS EVERY ONE FOR POSTING!!
I received this right now and luckily googled first. I’m going to NY in februari so they almost fooled me.
Notice,
FLIGHT NUMBER A781BN
ELECTRONIC 363169492
DATE & TIME / DECEMBER 12, 2011, 11:53 PM
ARRIVING / NEW YORK JFK
TOTAL PRICE / 367.45 USD
Your bought ticket is attached to the letter as a scan document.
To use your ticket you should print it.
Thank you for using our airline company services.
American Airlines.
Got the same notice but made the mistake of opening it in a PDF. it crashed the PC. Rebooted in Safe Mode and was able to restore to an earlier date. Got my files back but have some small issues to resolve. a lot of time and frustration over this. So far so good
came through as spam on aol but knew not to open good to see people helping
American Airlines do not fly from my local airport and it has been over twenty years since I have needed to visit any part of the USA, let alone JFK so I knew that it was some sort of spam anyway and just deleted it. Clearly whoever sent it had not targeted the recipicants very well. My concern though was that it went through three levels of security to go directly into my inbox. Any ideas who is responsible and what we can do about it?
Wish I had easy answers for those that got the virus. Sometimes Safe Mode helps, in combination with a good scanner like Malwarebytes. More advanced options include booting from CD to run anti-virus programs. Often your only recourse is to wipe the disk and re-install everything. As long as you have backups, that’s not catastrophic; a good image-based backup can quickly take you back a day or two. I blogged briefly about backups.
It is disturbing that these things are getting past anti-virus scanners so frequently, but there are so many new viruses every day that there will always be some that get through. If you want to see how many scanners recognize the variant that you received, you can upload a copy of the file to http://www.virustotal.com. Do this at your own risk–you have to save it to your computer without opening it in order to be able to upload it.
It is still circulatiing with later dates. Thanks for the info….Fortunately,I didn’t open it. Thanks again!
Dear Customer,
FLIGHT NUMBER AA984
ELECTRONIC 064249717
DATE & TIME / DECEMBER 23, 2011, 10:43 PM
ARRIVING / NEW YORK JFK
TOTAL PRICE / 366.45 USD
Please find your ticket attached.
To use your ticket you should print it.
Thank you for using our airline company services.
American Airlines.
Whole computer crashed. All the files disappeared one after the other as soon as I clicked on the ticket sign (PDF format). I feel so sorry for opening that file. I lost all my new baby’s pictures. We didn’t even have a chance back them up. Sick people.
Mb, sorry to hear that. You’re maybe the third comment reporting deleted files. I’ve heard of viruses that hold files for “ransom” until you pay them, but no one has mentioned that here. Consider taking the computer to a pro; maybe there is a way to salvage/undelete the files. Let us know if you find out.
Just recived email mine was to FORT WORTH lucky I did a check around first to see if it was a virus brfore i tried to open it
I received the email too. Mine said it was for Chicago on Dec 22. I knew I hadn’t purchased a ticket so I used trusty ol’ google and found this page! Thanks for posting!
Recieved this but didn’t notice it right away – we live in England and were in bed when it was sent. Also thought it was interesting that mine says the zip file has 0k – so it is empty – I asume. Maybe the virus checkers are now alert to the scam. I googled the flight number and it did not equate with the same destination listed in he email. Thought originally my husband might have bought a ticket for someon in my family to come for a visit, however all my family are on the West Coast. None of the information regarding the flight is correct. So glad I found this site or I might still be wondering.
American Airlines report.id83641@aa.com
12:27 AM (16 hours ago)
to me
Hello
FLIGHT NUMBER AA634
ELECTRONIC 791699218
DATE & TIME / DECEMBER 23, 2011, 10:43 PM
ARRIVING / Charlotte
TOTAL PRICE / 182.32 USD
Your bought ticket is attached to the letter as a scan document.
You can print your ticket.
Thank you for your attention.
American Airlines.
Ticket.zip
0K View Download
I just looked back over some of the messages and found this interesting:
“Thank you for using our airline company services.”
“Your bought ticket is attached to the letter as a scan document.
You can print your ticket.
Thank you for your attention.”
Strange sounding wording – your bought ticket – wouldn’t an American company say purchased? And “our airline company servics” doesn’t sound right either. Just a thought.
And thank you for your attention – who would say that in America?
Just had this email sent to me for a flight to Jacksonville, but it was flagged by google chrome as a virus.
Eva, “quite right” as the British would say: poor grammar or spelling and odd phrasing are often a clue that the email is not legitimate.
Your 0K attachment may indicate that an anti-virus program (either on your computer or on the email server) cleaned the virus before it got to your Inbox.
I received this attachment in my gmail inbox. I didn’t download but previewed it. Should it harm my pc?
i got the same male, i opened it while i was in conversation with a colleage didnt notice it, man my computer is gone! it deleted everything, hard disk is not functioning.
Your files & folders aren’t missing, just hidden. In Windows Explorer, navigate to Folder Options, click the View tab and select Show hidden files and folders. It’s going to take some work but all is not lost. Don’t ask me how I know.
Just had one crop up at work. Our mail server failed to notice it, but when I attempted to forward it home, gmail bounced it back.
Just got one too – into my outlook mailbox. Glad I researched it before opening the ticket! Thanks for the great info.
Here’s what I got:
Dear Customer,
FLIGHT NUMBER AA711
ELECTRONIC 966501410
DATE & TIME / DECEMBER 24, 2011, 10:43 PM
ARRIVING / San Diego
TOTAL PRICE / 181.30 USD
Please find your ticket attached.
You can print your ticket.
Thank you for using our airline company services.
American Airlines.
Just helped a co-worker with this. It appeared he lost everything but it was all hidden…
Here’s what I did to restore his PC:
Closed all open windows
Reboot in safe mode with networking
Because we couldn’t see IE – in search – put in Run and then iexplore.exe
Went to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and downloaded combofix – print all instructions first.
Ran combofix – after it was done the icons returned to the desktop
Went to: http://www.bleepingcomputer.com/virus-removal/remove-system-fix
Started with #7 and Downloaded malwarebites and ran it – found 3 items
Continued with #19 to unhide the icons
Rebooted as normal and PC was back to pre-virus state.
Good luck!
Having embarrassed myself (especially having worked for a famous OS software company), I fell for this one bad and by the time I realized it was a .exe file and not a pdf, the damage was done. However, I was able to completely fix the problem by doing the following (and assuming those who where infected have the same condition with your OS). Note I have a Windows Vista OS on my computer.
1. Click on lower left corner Windows icon.
2. Click on All Programs (that was the only option that was showing in this Window after the attack).
3. Click on Default Programs
4. The header file will now show Default Programs>
5. Click on Control Panel in the file name and that should come up.
6. If it does and you’re in Classic View, click on Backup and Restore C. If on default home view, select System and Maintenance. Follow instructions from there to restore your system to a previous date/time from the attack (if you’re able to). Fortunately I was.
7. OS should reset everything back to status quo before the attack – at least mine did.
Again as stated by others, you have not lost your files or programs with this viscous attack, just the access to them.
I hope this helps and good luck.
Thanks Susan and Michael for sharing your remediation procedures.
I got another one of these today, except this time instead of an attachment, it had a link to “Download your ticket here.” I started up an isolated virtual machine and opened the link. It linked to a site with an .ru domain (Russia), which started downloaded a rather long Javascript. I got tired of waiting for it to do anything so I closed the virtual machine, deleting the changes.
Bottom line: watch out for variants: PDF instead of DOC attachments, or just a link with no attachment.
I also received this today … I figured it was either a virus, or someone got my CC number & info and booked something … glad I googled before anything else … I also NEVER trust ANYthing sent to “Customer” … .
Dear Customer,
FLIGHT NUMBER AA711
ELECTRONIC 565963602
DATE & TIME / DECEMBER 20, 2011, 12:53 PM
ARRIVING / Jacksonville
TOTAL PRICE / 312.12 USD
Your bought ticket is attached to the letter as a scan document.
You can print your ticket.
Thank you
American Airlines.
My father just opened this email up and his PC crashed and everything was erased. I was able fix the problem in the following manner: (I just did this two minutes ago and as of now everything appears to be normal again)
1) Shut down the computer as soon as possible to avoid any further damage.
2) Reboot the computer in safe mode. (this is done on Windows by tapping the F8 button when you turn on the computer, if you get to the windows logo it’s too late. Restart the computer and try again.)
3) Open the computer in Safe Mode with networking.
4) Go to the Control Panel and perform a system restore. (this will restore your computer to an earlier date, specifically one before you opened the virus.)
Anything you did after the system restore obviously won’t be available, but this is a small price to pay to get your computer back.
i just received a similar email…i got it on my phone and there was no attachment to open on my phone. I checked my bank account just incase it was fraud done on my account. its sad to say that has happened to me before and they stole more than $1100 out of my bank account =(
wish id seen this page before now….i opened it up on saturday and my ticket was to Detroit-in hindsight it was stupid but i genuinely thought someone had used my card ….. cue everything wiped off my pc andf a nice £60 bill to restore and repair-fine now but im so angry and annoyed that there are some people sad enough to get off on this sort of thing!
I also just received it. I decided to check out first but like some of you I thought at first someone had gotten to my cc…..However, I do not recall receiving real confirmation letters sounding like this one:
Hello
FLIGHT NUMBER AB871
ELECTRONIC 524891814
DATE & TIME / JANUARY 18, 2012, 10:33 PM
ARRIVING / Oxnard
TOTAL PRICE / 178.12 USD
Please find your ticket attached.
To use your ticket you should print it.
Thank you for using our airline company services.
American Airlines
This is such a shame some people find joy in ruinig somebody elses work.
Hopefully it will not be making any more harm.
I received this email, destination Chicago, in my AOL email. Fortunately, my husband was sitting in the room at the time. I actually downloaded the .zip file and started to extract when something just felt wrong. I told my husband and he asked me to forward it to him and today he found this post. I also checked my bank account to see if there had been any charge there, but none. It was odd for it to come to my AOL account, because literally NOTHING that I use is attached to that account. I also found the language “a scan document” rather than “a scanned document” strange. Thanks for the info. I’m really glad I stopped the extraction when I did!
I opened this before reading these posts. Does anyone know if this virus can affect a MAC Book Pro?
Chris, I’d be surprised if this affects Macs. Let us know if you find differently!
To get ur data back you need a program from bleeping computers called unhide , I am a computer tech and have expire emceed many people with same issues. Email me of new further assistance.
Got this same email today with the destination to california. Must be going around!
Thanks for these postings…
I knew I hadn’t bought this plane ticket and thought it was a mistake…
Thought it was the odd the email began with the greeting “hello”
Glad I didn’t open the file!
It’s doubly weird that I am actually getting on an airplane tomorrow!
I received that email this evening but for some reason there was no attachment or links.
Dad opened this, took his drive out and put in another machine and ran malwarebytes then put it back in his computer. Found a bunch, but not all XP functions work on his drive. All the data is there, which is good. When trying to boot to safe mode it opens a window for Vista OS and then just boots normal and doesn’t give any “Safe Mode” options. Any idea how to fix the XP OS without a format?
Chris, not sure why Vista would come up if you have XP. Maybe your BIOS is set to “Fast Boot” so you’re not getting the chance to get in with the F8 key. There are a couple procedures in the comments above, e.g. using System Restore, that may not require Safe Mode.
I am contacting you from my Xp as my Vaio Vista is crashed. I was flying to NYC on American so I clicked on the e-mail. I saw the “.exe” too late and had already clicked the zip file. My Sony Vaio w Vista os began faultering and shutdown.
I cannot get F8 to work so no safe mode.
The only success i have is F2/Bios settings or F10/ Vaio recovery center.
I really don’t want to lose all my files, my husband has passed away and I have his photos + files I haven’t backed up that I dearly want to keep.
I used the Vaio rescue Data button to backup to a hard drv but i’m afraid to connect it to another computer for fear it will infect it. I don’t know if it actually worked in backing up files.
When I tried using the restore point in Vaio recovery center I had an error msg of “no os detected” so it could not access windows to do a restore. Do I have any other options for accessing the info on my HD? I’m hoping it is still there + I can find a way to get in + change the attributes but how? How could I make a rescue cd (no os detected)? Any step by step instructions would be greatly appreciated!!!!
Thank you
Ina, there are a couple step-by-step procedures in the comments above but if you cannot get F8 to work, or if you are not comfortable with virus recovery in general, I would recommend taking your infected machine to a reputable local professional.
I did buy ($10.) a vista recovery disc online and I used it to boot but it couldn’t see windows vista even thought I could use it to see some of my files.
It was very limited in it’s tools.
I’m wondering if I could use it to make another cd w “unhide” on it.
I can go to the command prompt w this cd. Can I use the same old dos commands to move around in the files? change the attributes etc?
Ina, I would think that you would have access to the DIR command. Not sure if it supports the /ah switch to show hidden files, or whether you also have the ATTRIB command for removing the hidden flag.
Some colleagues have recommended Hiren Boot CD (http://www.hiren.info/pages/bootcd). I have used Ultimate Boot CD (http://www.ultimatebootcd.com/), Either one should give you a graphical file explorer that would let you look at hard disk contents. Not sure about unhide utilities but these are pretty comprehensive utility CDs so probably unhide is available.
Thanks for posting this article. I was tempted to open this email thinking someone stole my visa number. It did go into my hotmail junk file.
I got this this at about 7:40 this morning.
Hello
FLIGHT NUMBER AA551
ELECTRONIC 770448823
DATE & TIME / JANUARY 13, 2012, 10:53 PM
ARRIVING / Chattanooga
TOTAL PRICE / 214.23 USD
Your bought ticket is attached to the letter as a scan document.
You can print your ticket.
Thank you for using our airline company services.
American Airlines.
——————————————————————————–
No virus found in this message.
Checked by AVG – http://www.avg.com
Version: 2012.0.1901 / Virus Database: 2109/4707 – Release Date: 12/27/11
I got the email today and thought my wife made flight arrangements for her upcoming trip. Lucky i opened it on my mac so far nothing has happen. But i also opened in my phone hopefully nothing is effected and it stays that way
Got this today–saw it come up on my iPhone as I rarely if ever go out to AOL to read my mail. Figured it was a virus and came out here, so I forwarded it to AOL’s spam team and deleted it. Whew.
I got this email to my AOL account which I rarely use and like other people I thought either its a virus or someone got a hold of my cc. The wording didn’t sound right which made me think it was probably a virus but out of curiosity I went ahead and opened it on my Android phone. So far nothing has happened. I quickly deleted all the files from my phone anyway.
I just got this email in my yahoo account – yahoo caught it as spam – glad I checked here first. Not to mention I have no plans on traveling soon or on AA….
Just received this email this morning into my business email, and knew instantaneously it was a virus or password fisher. I travel a few times a month, but I never on American Airlines. The improper grammar was also a huge tip-off.
My partner opened this same email last evening, AND the attached zip file.
It immediately began scanning our system, files appearing on screen one after another, appearing to be a WINDOWS anti-virus scan. We use McAfee, not WINDOWS for security, so
I attempted to close this new screen and run a scan with McAfee. It worked well, up to 97%, then shut down and the virus screen reappeared.
I immediately unplugged the computer and disconnected it from the intranet. I used my laptop to do research on a cure for this virus. I discovered a company offering assistance – TeeSupport.com – online at 10pm at night – live support. It cost me $69. to have them “takeover” (online) my computer and manually delete the virus.
I spent the money – as of now, it appears we’ve lost nothing and everything is back to normal.
Another lesson reminded – never open an attached file that you don’t recognize. (grrrr)
I hope law enforcement catches the little jerks.
First off thank you so much for your coverage of the Airline Virus Emails that have been going around, it has been a big help.
Yesterday, my wife opened one of these emails and the attached zip file on her Droid-based Tmobile Samsung Galaxy S ,w/ the Gmail App, not realizing what it was was.
Is her phone at risk? I am not sure anything was installed. I have heard that the .exe cannot be read by Driod but I also not sure if the .zip had a .exe or something else. in it as she deleted the email after openeing it.
I have run scan the phone with some of the free Anti-Virus Apps(Lookout and AVG) from the Market place and that reported no issues.
I have thought about connecting her phone to my HP laptop with Symantec Endpoint Protection to run an additional virus scan but I am concerned that I may infect my laptop if I mount the phone via USB. Should I be concerned about tranferring a virus to my laptop if it is infact on her phone?
Thank you.
Mike, I’m no Android expert but I doubt a Windows .exe could run there, and so far no one above has reported otherwise. Just connecting your laptop probably wouldn’t matter, but if you went so far as to copy the .exe and execute it, you could infect your laptop. I’d just delete the mail and any saved downloads, and thank goodness you didn’t get infected!
Dear Customer,
FLIGHT NUMBER A627
ELECTRONIC 859595824
DATE & TIME / JANUARY 29, 2012, 11:44 PM
ARRIVING / Montgomery
TOTAL PRICE / 275.23 USD
Please find your ticket attached.
To use your ticket you should print it.
Thank you for using our airline company services.
American Airlines.
This is the email I got. Could only be a virus. If I booked a flight, it would have my name and a city I would travel to
I got the same thing! Here is what I got:
Hello
FLIGHT NUMBER AB871
ELECTRONIC 386425646
DATE & TIME / JANUARY 26, 2012, 10:22 PM
ARRIVING / Tucson
TOTAL PRICE / 192.54 USD
Your bought ticket is attached to the letter as a scan document.
You can print your ticket.
Thank you
American Airlines.
I got one of these today too and didn’t fall for it
Don’t You Either…………………….
Dear Customer,
FLIGHT NUMBER A627
ELECTRONIC 378860473
DATE & TIME / JANUARY 31, 2012, 10:33 PM
ARRIVING / KnoxvilleFort
TOTAL PRICE / 111.12 USD
Please find your ticket attached.
To use your ticket you should print it.
Thank you for using our airline company services.
American Airlines
New Airline Ticket Virus Email. Thank you Mark Berry for your kindness in posting the warning regarding this virus email. I just received the email today. I recently stupidly put my real name, address, and email on a web site and thought that the “American Airlines” email was a result of that error.
Just received this today and as I travel often, I opened the file on my HTC Evo Droid phone while I was out, and preoccupied:
Dear Customer,
FLIGHT NUMBER A745
ELECTRONIC 780536635
DATE & TIME / JANUARY 13, 2012, 10:33 AM
ARRIVING / St. LouisTampa
TOTAL PRICE / 199.12 USD
Please find your ticket attached.
To use your ticket you should print it.
Thank you
American Airlines.
I have looked thru my phone/SD card and can’t recognize if there was a file downloaded. When I clicked on the attachment again on the phone/email it asked “would you like to replace the existing ‘ticket doc’?” When I go thru all of the files tho, I don’t see anything called “ticket doc”.
I downloaded Lookout virus scanner from the Droid Market and the phone comes up clean – but is this accurate? How can I find the file? I’m totally freaked out that my phone is infected and all of my info is being drained as I type this..
HELP!!!
I hear it was distributed through AOL email.
Here’s what I removes (so far)
zbot trojan virus: detected by AVG free (froze when trying to isolate) Ran a special program from AVG (rmzbot)
STOPzilla found: (2) inter2000, (1) GASF file (liia.sys) and (29) Registry Key entries
Reinstalled a AVG, ran, deteced and removed: Generic_r.IO, (gmect.f) Win32/Kryptik.YGY (SIL.EXE), Artemis!3115F56C61CA (9B20.tmp), TR/Crypt.XPACK.Gen (B3E0.TMP), Artemis!3115F56C61CA (A59C.TMP)
All has been quite now for a day or so. Hope it’s gone!
But how do I find it and remove it from my phone? I cant find any zip files on sd card, or elsewhere
NWC, please review my 12/30 comment re. Android.
Just received one today – thank you for documenting the virus – saved me a great deal of time and expense.
Dear Customer,
FLIGHT NUMBER A714BN
ELECTRONIC 669723510
DATE & TIME / JANUARY 25, 2012, 10:53 PM
ARRIVING / Sacramento
TOTAL PRICE / 189.11 USD
Your bought ticket is attached to the letter as a scan document.
To use your ticket you should print it.
Thank you for your attention.
American Airlines.
Got this today.
Hello
FLIGHT NUMBER AA112
ELECTRONIC 935047405
DATE & TIME / JANUARY 13, 2012, 10:22 AM
ARRIVING / KnoxvilleFort
TOTAL PRICE / 125.22 USD
Your bought ticket is attached to the letter as a scan document.
To use your ticket you should print it.
Thank you
American Airlines.
Just had one show up at 11:12am
Hello
FLIGHT NUMBER A627
ELECTRONIC 320508329
DATE & TIME / JANUARY 30, 2012, 11:44 AM
ARRIVING / Oxnard
TOTAL PRICE / 189.11 USD
Please find your ticket attached.
You can print your ticket.
Thank you for your attention.
American Airlines.
Thanks for sharing – I thought it looked like a virus, thankfully it went to my hotmail spam so I was instantly suspicious!
I got one of these today and another a couple weeks ago. First I was going to NYC and then I was going to Grand Rapids. I just want these fools to know I’m not as much of an idiot as they think I am!!!
Thank you for the posts. I thought someone had gotten My CC card and info and was planning on doing some traveling. Glad I googeld it first.
I received two of these today. It was a close call for me to open it because I AM flying AA in a few days and made a change yesterday. The first clue was that it went to my spam account, the second was it looked NOTHING like the other emails from AA. Glad to find my gut instinct was correct.
Got one today too! I do NOT fly, so this was a curious inbox find to say the least. Perhaps I am still oversensitive, but to see a fake flight #A911, knowing American Airlines flight 11 was one of the 9/11 casualties, is pretty freakin’ crappy IMO.
Your Order#517599993
American Airlines account.id3994@aa.com
Dear Customer,
FLIGHT NUMBER A911
ELECTRONIC 641467651
DATE & TIME / JANUARY 27, 2012, 11:44 PM
ARRIVING / Aurora
TOTAL PRICE / 189.15 USD
Please find your ticket attached.
To use your ticket you should print it.
Thank you
American Airlines.
I received one today sending me to Amarillo… as a Texan, I can say that I would never purposely choose to fly there!
FLIGHT NUMBER AA534
ELECTRONIC 747841554
DATE & TIME / JANUARY 13, 2012, 10:33 AM
ARRIVING / Amarillo
TOTAL PRICE / 257.58 USD
I received the email on my phone. Since I haven’t made any arrangements to fly, I did not open. I checked the AA website to check if the flight number existed. It didn’t. I was also afraid that someone booked using my credit card. Then on to Google where I found all you great people posting the same thing. Thank you for sharing. I immediately deleted it.
Never open an e-mail you dont trust. The American Airlines ticket virus just got me. What was I thinking. I had to restart my computer in safe mode to try a system restore. I think it worked. Good luck. Why aren’t the FBI going after these thieves. Follow the money and bust them. Its attempted theft. They infect your computer then offer to sell you the problem fix. Follow the money and bust there ass. Prison time is what these jerks should get, not our cash.
I received this email on Jan 2, flying to Chicago! Flight A911. Thought it suspicious so first checked all my credit cards for the amount posted for the cost. Then googled the flight #. BTW…who wants to go to Chicago in Jan? GEEZ…at least pick Florida!!! LOL.
Thanks for the heads-up!
when you get a free ticket in the mail which dont even tell you what city you are leaving from and then look at t AA website to see there is no such flight number and NEVER EVER open a ZIP file from someone you don’t know
Just received one with arrival to Plano ?? flight A864 through AOL account. Almost got me because I do have a flight booked with American Airlines to another destination and didn’t read it carefully, but thankfully my AVG caught it as a Trojan horse virus before I could open it . Checked online and found all the warnings, will never do that again before reading it thoroughly first !!
Got one like this today and was immediately suspicious, did not open the attachment, and marked it as spam. I realized that had I actually recently made some kind of travel plan, I might have been duped into opening this. So obnoxious.
Here’s what I did to restore his PC:
Closed all open windows
Reboot in safe mode with networking
Because we couldn’t see IE – in search – put in Run and then iexplore.exe
Went to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and downloaded combofix – print all instructions first.
Ran combofix – after it was done the icons returned to the desktop
Went to: http://www.bleepingcomputer.com/virus-removal/remove-system-fix
Started with #7 and Downloaded malwarebites and ran it – found 3 items
Continued with #19 to unhide the icons
Rebooted as normal and PC was back to pre-virus state.
Yeah…I wasn’t so smart and opened it, luckily my security suite caught it and quarentined it -_- that’s a scary one though, because it seemed pretty real.
Just got a new version of this virus:
Dear Customer,
FLIGHT NUMBER A714BN
ELECTRONIC 712573989
DATE & TIME / JANUARY 17, 2012, 10:22 AM
ARRIVING / Miami
TOTAL PRICE / 157.17 USD
Your bought ticket is attached to the letter as a scan document.
You can print your ticket.
Thank you for your attention.
American Airlines.
Just noticed that in all the examples submitted, not a single one lists a departing city. When have you ever received a flight confirmation that didn’t list the from AND to airports? Of course if they put that in there, it would make the fraud more obvious, since they would be unlikely to list your local airport.
I received mine the other day. Apparently I was traveling to Newark on 1/13/12. I’m glad I didn’t open it. Thank you all for the heads up.
I’d suffered the results of the virus since I’d scheduled a flight on American Airlines and assumed the email was legitimate without reading details before opening the attachment. My computer specialist was able to recover my primary desktop but not the JPG photos on my pocket hard drive. Is there a good way to recover these?
Nick, if they really are just hidden files, as some have suggested above, you should be able to turn on hidden files in Windows Explorer to see the files, then change the files attributes (remove the “H” hidden flag) to unhide them. Here are a couple relevant articles:
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/
http://www.cypherhackz.net/archives/2009/04/06/files-hidden-by-virus-how-to-unhide-them/
I got this too and it got past all of my security
I sent it on to American Airlines over a week ago
not heard a thing from them
they obviously dont give a $%*t
I just got this today… glad i seached. my Avast antivirus wont let me open the zip. it says it contains trojan virus.
Afternoon all,
x
Currently living in England and due to fly to New York for a 5 day break next week , was suprised to see this in my email box thought it was my real ticket as my mum has sorted the flights out , i really thought she has just got the airline to forward the ticket to me!!….thanks to all your comments i deleted it and no virus infected anywhere!
All I have to say is that you people do a great act of charity by saving a lot of people a lot of heart ache! I received the email…was suspicious so I opened it with my IPAD instead of my home PC. I even opened the zip file but the file informed me that it could not be opened in DOS mode…it appeared to be a. EXE file…so I deleted all the files associated with the email…looked at you blog realized I should have looked up the possibility of this being a virus before ever opening it even on the IPAD. Thanks again !!!!
The damn virus still going around, luckliy my spyware caught it. They should lock those people up with nothing better to do. Do some good for the world instead of infecting people’ s computer. What a waste of talent.
It IS still going around! My mom’s computer has a virus or something, we know that, and I’m going to run Malwarebytes and some other stuff on it this weekend. But last week, my sister and her husband, who live in Chicago, were leaving and had checked in for their American Airlines flight using our mom’s computer the night before. Later that same night, our mom received an official looking email regarding a flight she supposedly had booked for Chicago! Makes you wonder if someone is monitoring my mom’s computer activity! How was it that it knew to send an email about a flight to Chicago and not JFK or some other city??
how do i restore my missing files?anyone
scarrlitte, good question. You’re the first to mention the possibility of a targeted campaign. It’s probably a coincidence, but post back if your scans turn up any nasties on her computer!
John, check the comments above dated 12/16/2011 and 1/16/2012 for suggestions. Use at your own risk. If you’re not comfortable with the procedures and especially if you don’t have a good backup of your files, find a professional to help.
I also received this today. @ weeks ago we had a $400 charge on one of our debit cards in England so needless to say, it freaked me out thinking it has happened again. I got as far as the step before opening attachment and thought…wait a minute, better google this just in case. Thank God everyone posted, Thank You. Next step….sending it on to AA.
Scarrlitt….very good question. I have not been on any airline websites but, I live in Tn and originally from Wa. state. If I were to visit, I would fly into Spokane, which is exactly where they said this ticket went to. Coincidence? How many here that have posted have the “same” coincidence?
I received last night on mail. but why my ticket more than very expensive
Dear Customer,
FLIGHT NUMBER A445
ELECTRONIC 385366975
DATE & TIME / JANUARY 30, 2012, 12:44 AM
ARRIVING / Philadelphia
TOTAL PRICE / 324.22 USD
Please find your ticket attached.
You can print your ticket.
Thank you for using our airline company services.
American Airlines.
Got one this morning.
Wow
I received one of these today (I’m off to Pittsburgh apparently). Was somewhat suspicious but as the attachment claimed to be a.MIM file rather than a .exe or .zip and such file extensions appeared to be safe according to fileinfo.com, I tried to open it. Luckily my PC wouldn’t open it without choosing a program to open it with. I assume, the senders could have changed the file type to disguise that it was a .exe or zip file?
Have done a full system scan with Norton and found nothing so hopefully I have had a lucky escape.
Received one this morning going to Anaheim. I opened thru my blackberry & couldn’t click the link. Thank goodness I kept it away from my computer. Thanks for all of the info
Ryan, looks like Winzip and even Outlook opens .mim (MIME) files. I bet if you had one of those installed, as many people do, it would have opened to reveal an executable, which if clicked would have installed the virus. Yes, a lucky escape! http://www.fileinfo.com/extension/mim
I just got this email, thankfully I googled it…
Dear Customer,
FLIGHT NUMBER A842BA
ELECTRONIC 566801615
DATE & TIME / JANUARY 26, 2012, 12:44 PM
ARRIVING / Tacoma
TOTAL PRICE / 389.35 USD
Your bought ticket is attached to the letter as a scan document.
You can print your ticket.
Thank you
American Airlines.
Just got this email this morning. I was almost fooled…I had used credit card online last night…therefore shitting bricks when I saw this American Airlines email ticket confirmation this morning. Ya it has a ZIP file. Apparently a trojan.
phew.
I like sticking together. Thanks guys.
Cheers
kirsten
It tricked me because I actually have a flight coming up on American Airlines. Luckily AVG caught it and warned me that it contained a trojan. I hate bastards that send viruses!
Macs Rule!! just got this email today, opened the zip file with my Mac and found out it was an .exe, I started surfing google and found this, Thanks for the posts
I got this sneaky virus.
I fixed it with the above post at the http://www.bleepingcomputers.com software fixes.
Running ComboFix in safe mode, then Malwarebytes anti-malware, then ComboFix a second time to get all my icons and files back.
Then run any and all other antivirus to clean it up.
Your files are not erased, just all cometely hidden. Then another fake antivirus posts that you have critical errors and asks you to purchase to fix. Do not listen to this windows looking alert.
Anyways scroll up and follow the directions. It took me hours to get this done due to the many scans needed and ComboFix is a slow process but it worked. Be patient with it.
i always knew it was a virus but if not i might be flying to texas Lol
Dear Customer,
FLIGHT NUMBER AA522
ELECTRONIC 510833740
DATE & TIME / JANUARY 29, 2012, 12:44 PM
ARRIVING / Grand Prairie
TOTAL PRICE / 333.32 USD
Your bought ticket is attached to the letter as a scan document.
To use your ticket you should print it.
Thank you
American Airlines.
Received the same email in my junkmail, but didn’t open the attachment. The flight referenced Bakersfield, but everything else was the same. It doesn’t even look like an email American Airlines would send.
Thanks so much, I knew it had to be a scam, but like a lot of you thought someone had maybe stolen my credit card details.
Content-Type: text/html;
Content-Transfer-Encoding: 8bit
Hello
FLIGHT NUMBER AA452
ELECTRONIC 825541721
DATE & TIME / JANUARY 28, 2012, 12:44 PM
ARRIVING / Arlington
TOTAL PRICE / 399.32 USD
Your bought ticket is attached to the letter as a scan document.
You can print your ticket.
Thank you
American Airlines.
I just checked the message source looks very similar.
It passed my virus protection
Hi! A friend opened the file and I restored the PC to a last restoration point but unfurtunately almost all files and progrmas were gone. I ran ubuntu from a USB stick and all the files were there, I could backup them and re-install windows. Was not the best solution but I could get my files back!!!!
Please let me know if there is a way to fix it without re-isntalling thanks !!!
I clicked on this american airlines email on my mac, but did not open any attachments in it. Now, when I log into Safari, the top Yahoo topic is porn. Did this happen to anyone else? Also, any ideas on how to remove it from a mac?
Ab – there are several comments on removal above.
Jeff – not a Mac user but it seems unlikely you got a real virus. Maybe it (or something else) changed your Safari home page or favorites? Also check your DNS settings in the Mac and in your router–seems like I’ve heard of viruses that can hijack the DNS so search results (for example) would return illegitimate sites. You should be using DNS IP addresses from your ISP, or maybe a reputable third party like OpenDNS.
CAN SOMEONE PLEASE GIVE ME A DETAIL STEP BY STEP TO REGAIN MY LOST FILES THANK YOU ANYTHING WOULD BE APPRECIATED
Several people have asked how to remove this virus, the main effect of which is apparently to hide (but not delete) files on your computer. Thanks to the several posters who have offered suggestions. For example, see these comments above:
December 16, 2011 – Susan Green
December 16, 2011 – Michael
January 6, 2012 – Teresa
January 16, 2012 – Shea
Use these procedures at your own risk! If you’re not comfortable with the procedures and especially if you don’t have a good backup of your files, find a professional to help.
This is a pretty nice virus as it is fixable but it’s a little tricky to do. Firstly just so you all know I did not open the file, it was my mothers laptop who had clicked on it thinking it was a ticket for something booked recently, exactly the people the spam emails were after.
To start I told my mum to turn off the computer urgently. In this case it was 10 minutes after infection so the virus had not run its full course. I then took out the hard drive from the laptop and connected it to my PC. This is to isolate the drive and stop the virus spreading or making the virus files read only. I then run Malwarebyte (a free malicious software scanner available by typing the name in google) on the hard drive to clear up the virus.
Once it had destroyed the .exe file and all the software from running I put the hard drive back in the laptop. I then booted in safe mode (by pressing F8 before the windows splash screen and selecting safe mode) and performed a system restore to before the file was clicked.
This then allowed the computer to boot up as normal but for some reason a load of files were hidden mainly the picture folder so what the virus was doing I can only take a guess. So right click on the picture folder and go to properties and un tick hide. Or you can make hidden files visible by going into tools/folder options and one of the tabs, I can’t remember off the top of my head, to find the files it has hidden.
I then for good measure installed malwarebytes on the laptop and run it to destroy the last of the virus. The laptop is back up and running now with no loss of data and performance back to pre-virus.
Instead of trying to take the hard drive out you could try a system restore in safe mode and then install malwarebytes to kill the files on your hard drive. I did it a long winded way as the photos on the laptop were mainly not backed up and I wanted to make sure they were not lost.
Hope this can help some people.
Thank you Mark!
Mine was to San Diego !
Well, I got one as a PDF and my husband opened it. I had to do a complete System restore from my Windows CD. It bypassed both the antivirus on my email server (1and1) and AVG. It still isn’t showing after a scan by both AVG and Norton. It came as a PDF and from what I can gather, it’s a scam to make you sign up and pay for some sort of software that “fixes” all the “faults” it finds on your computer. It gives you a whole list of stuff that is supposedly dangerous (overheating CPU etc) and it’s all rubbish. It also makes it look like the boot sector has failed and the hard disk is unreadable, which is just silly as the operating system is still working! It’s the first time in 15 years that I have been caught out like this and I am fuming. I would castrate these malicious kiddies if I could get my hands on them.
Thanks for info I recieved this today but going to corpis christie.
So…I have tried to repair my computer based on the suggestions above. My issue is that none of my programs show up when I go to “Start” and “All Programs.”
If you get rid of the infection by using Malwarebytes or your installed anti-virus program but your documents still don’t show up you can use the attrib command to unhide them.
Open a command prompt by holding down the “Flag” key and pressing “R” or Start>Run and type cmd. Hit enter to get a command prompt. Type the following to unhide all your documents:
(Windows 7) attrib -s -h -r c:/users/{username}/documents/*.* /s /d
(Windows XP) attrib -s -h -r “c:/documents and settings/{username}/my documents/*.*” /s /d
Substitute your user name for {username}. XP requires the quotes. Windows 7 will require quotes if your user name has a space in it.
If your Windows 7 libraries are missing, go to the start globe and click on Computer. Drop down the Organize tab. Click on Folder and Search Options. Click on the View tab. Click Show hidden files, folders, and drives. Click OK. Navigate to C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Libraries. Right click on each library folder and left click on Properties. In the General tab, make sure the Hidden box is unchecked.
Thanks Bob, that should help some folks. I think I might recommend starting with just the -h parameter to remove the Hidden attribute:
(Windows 7) attrib -h c:/users/{username}/documents/*.* /s /d
(Windows XP) attrib -h “c:/documents and settings/{username}/my documents/*.*” /s /d
Removing the System (-s) and Read-Only (-r) attributes (e.g. from thumbs.db files) might mess with certain functionality. On the other hand, if the virus sets *every* file to System and Read-Only, you won’t have much choice but to remove those attributes as well.
I got this email today again, I got it 2 weeks ago but luckily Kaspersky picked it up as a virus.
I wish I knew who sent these as I would gladly shove it right up there arses!!!
This one is still out there. Got through my Google yesterday.
My wife opened this darn thing yesterday. I am by no means a computer guy, but I’ll try the fixes mentioned on here. It appears that my hard drive is deleted – the screen is blank except for the recycle bin, and no files are visible. Hope it’s true that my hard drive isn’t deleted, but just “looks” that way.
STeve
Hi Mark Berry! Thank you so much for the warning! I am writing from Germany, I received the mail also on January 20, 2012, my flight went to Shreveport, Louisiana. The attached file was simply named “Ticket.zip”. Thanks to you, I didn’t open it! Best regards, Hubert
Hubert, freut mich, wenn die Warnung auch in fernem Deutschland “ankommt”! Alles Gute – Mark
I received this in an email tonight, but because I wasn’t going
on a trip I checked my bank account and then the web. I flagged
this spam and never tried to open it on my iPad.
Dear Customer,
FLIGHT NUMBER AA429
ELECTRONIC 627696775
DATE & TIME / JANUARY 25, 2012, 11:52 PM
ARRIVING / Pittsburgh
TOTAL PRICE / 224.44 USD
Please find your ticket attached.
You can print your ticket.
Thank you for your attention.
American Airlines.
Hi the same thing happened to me and I opened in error. Everything seems all right and everything appears to be there and I have full access. I don’t know if anything is missing. I wlish I had looked this up on the net before opening it. I will run the Malwarebyte program suggested.
JUst got the email… be careful with those stupid dumb scammers!!
Hello
FLIGHT NUMBER A445
ELECTRONIC 767259715
DATE & TIME / JANUARY 23, 2012, 11:22 PM
ARRIVING / Newark
TOTAL PRICE / 382.34 USD
Please find your ticket attached.
To use your ticket you should print it.
Thank you
American Airlines.
just received today
Thanks so much for everyones help. having my identity stolen several times I stupidly opened this one thinking someone had done it again. I NEVER open the darn things. Anyway I quickly realised that the files were only hidden luckily as I had just spent all weekend doing a tax return.But still cant get the main documents/photos etc icons to be in anything but feint type although I have the actual inserts in normal type with nothing hidden/ Any ideas?
My husband unfortunately opened the airline ticket attachment in AOL from his android cell phone. What should we do next?
Thank you everyone else who notified the public. I of course google’d the phrase “airline ticket virus” but was too late for my brilliant husband.
Glenda – maybe your files are still set as System or Read Only. Right-click on a file and check its attributes. See Bob’s and my comments on 1/19 re. changing attributes.
Jill – see my 12/30 comment re. Android.
thanks Mark, For example I have done that for all my documents and unchecked all the secret and read only boxes all all the documents are in normal type but it is the folder that is in light type! Still just so pleased that I have got this far!
Glenda – folders can have attributes, just like files. You may have to use the command prompt and the ATTRIB command to change all folder attributes. Also be sure to run Malwarebytes and/or other anti-virus programs to make sure you get rid of the actual virus.
Well… I got it… and opened it… and got screwed. I had no idea this dang thing was out there. Our computer is now at the shop being fixed. What a shame!
Is this the virus that is supposed to allow access into your bank accounts? I heard that there is a virus out there right now that comes from the “FDIC” which, if opened allows these jerks to drain your accounts.
MAKE IT STOP!
Not sure what is going on…I got it also and like a dummy I opened it. So I followed the leads from above and am trying to run the stuff from “bleeping computers” but it gets to the scan and runs for awhile ( like 20 mins ) and then it appears to stop..and just sits, won’t continue just sit’s and sit’s…
Has anyone else had this problem or know of a solution…I would really like to get this going if possible….
I ran Malwarebytes already and it only found (1) bad file…I found “tickets.exe” and removed it from win/prefecth..didn’t help…so now I’m in limbo..any help would be greatly appreciated.
Bob, see Shea’s comment on 1/16. Sounds like the scans may take hours.
i am saudi
I opened this email, unfortunately,
Download the attached file
And opened the program exe
Delete my files and programmatic and recovery
my laptop is sony vaio
I worked a system restore my files and I came back but was hidden
And then worked Recovery of the system by pressing the F-8
Woe to those who made this virus
thank you mr. mark berry
and
I am sorry for my bad English
bye ^___^
Unfortunately i got an email to fort worth,Tx.Thank you so much for suggestions posted but my question is if anyone can answer this please. So after the pc crashes and all files lost,sadly,is that all that happens or should i be concerned in that the crashing of the pc is a getway to any sites i have accessed on the pc like banking sites,loan sites etc that they scammers would be able to retrieve and use my information? like for example if i go online to pay a bill every month,use credit card to make that payment. Would they have access to that including passwords?thank you in advance
I just received the American Airlines email today (24th January 2011). Apparently I’m flying to Ontario.
So I got this email today and I opened it because I was going to new york but changed it to miami this past few dates so off course I opened it. So I turned it off then back on and pressed F8, chose safe mode in networking, control panel and had the back up. The thing is that I have two hard drives and the one with my important documents and it seems that they are there because it shows how many space is free but I can see them when I go inside the drive. I tried putting the antivirus and it seems as if it scans all the documents. I don’t have a back up of this disc drive so I can’t go back to its original phase as the other one. Can anyone please help me out?! Write to me to [email removed] I will acknowledge your help, thank you
i own my own computer repair company and i have a few tips for people. these tips are for windows 7 but can be adapted to other versions. im gettin about a call a day about this virus and this has been going on for a week. these tips are for getting your files off your computer before you start playing around
1. your files are not lost they are hidden same with your start menu. shut down your computer and start it in safe mode by hitting f8 and start in safe mode with networking
2. once windows is open in safe mode right click the task bar – then properties – then the middle tab “start menu”
3. once you are in the start menu tab click the “customize” button
4. now click use default settings or manually change them
now when clicking on the start menu you can use my computer again
5. click on my computer
6. click on organize – folder and search options
7. click view tab
8. click the radio button that says show hidden files folders and drivers and then ok
9. now when looking at your c drive right click the users folder – properties
10. uncheck the hidden box and when prompted chose to apply the setting to all sub folders
yeay you can see your files
11. pop in a flash drive and copy your documents just watch out for the app data that might be hiding the virus in some sub directories
beyond this every variant of this is a little different and you can pick your weapon of choice to try to remove it
hi there, have just recieved an email myself from american airlines saying i have bought a flight for 211 usd to houston! fab as im terrified of flying so pretty sure i wouldn’t have bought it myself! really glad to see that there are people that help identify stuff like this as i was really worried but googled it and found you lot! do not open it and let all your friends and family know not to open anything similar too.
Julie – I removed your email address from your comment for your own protection. (Publishing your email address online makes it easy for people to send you spam and viruses.) Jason’s comment right below yours may help you at least get a backup of your files. If you are still unsuccessful, you may need to contact a computer professional in your area for help.
Thanks Jason your instructions worked perfectly! I have my documents right back YEAY!
Mark, thanks, even though that email can only open in my blackberry
thanks anyway! This blog helped me with my problems! Woohoooooo!!!!
j’ai aussi reçu ce mail de American airlines pour une destination vers Huntsville.
Je l’ai ouvert , parce que le vol etait le 19.janvier et que c’est la dâte de mon anniversaire.
Alors simple curiosité.
J’ai du faire appel à un professionnel pour essayer de réparer les dégats.
Ca va à peu près, sauf que je n’ai plus mes photos, ni fond d’ecran.
Plus d’autres trucs que je n’ai pas retrouvé.
Just got the email today. I didn’t open it but it is filtering through the free email accounts on mail.com now. They have pretty good filtering for spam, but this one went directly to my inbox.
Hopefully they send the writer of this virus to prison soon if he’s not already there…
“American Airlines”
Attachment (1)
Ticket.zip
Hello
FLIGHT NUMBER AB712
ELECTRONIC 6489864
DATE & TIME / JANUARY 26, 2012, 09:21 PM
ARRIVING / Oxnard
TOTAL PRICE / 177.11 USD
Your bought ticket is attached to the letter as a scan document.
You can print your ticket.
Thank you for using our airline company services.
American Airlines.
Follow Susan Green’s instructions. It took me about 3 hours total to correct my computer, and I found that I saved nearly 200 dolllars (I live in NYC area) that I would have needed for a professional to fix my computer. I decided to reprint them just in case you cannot find them….
Susan Green | December 16, 2011 at 3:33 pm
Just helped a co-worker with this. It appeared he lost everything but it was all hidden…
Here’s what I did to restore his PC:
Closed all open windows
Reboot in safe mode with networking
Because we couldn’t see IE – in search – put in Run and then iexplore.exe
Went to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and downloaded combofix – print all instructions first.
Ran combofix – after it was done the icons returned to the desktop
Went to: http://www.bleepingcomputer.com/virus-removal/remove-system-fix
Started with #7 and Downloaded malwarebites and ran it – found 3 items
Continued with #19 to unhide the icons
Rebooted as normal and PC was back to pre-virus state.
Good luck!
Heads up, folks. A very similar scam, this time pretending to be from FedEx:
http://www.mcbsys.com/blog/2012/01/new-fedex-virus-email/
New definitions are starting to catch it. Eset caught it on mine pretty early on.
Owen, are you referring to the airline virus or the FedEx virus? Updated definitions started catching the airline one within a few days in November but obviously a lot of people got it later. Maybe they swap out the virus from time to time. It seems it’s not hard to come up with a virus that gets past scanners for a few days.
I just got the American Airlines email in my junk folder. Knew it couldn’t be good so I’m sooo glad I googled before I opened it!!
Does it affect you if you open the e-mail? I did not open the attachment.
Brandon, no, it should only affect you if you open the zip attachment and open (run) the file inside the attachment.
Just received it! Thank heavens I did no more than open the mail! The last United trojan cost me big bucks to remove!!!
Got one today. The thing is, I’m flying with AA in a week’s time and nearly opened it. Then I said whoaa, my ticket is electronic, I shouldn’t be getting any printout. I read it carefully and it said I’m going to Dallas. Ha, nice try! I ain’t going anywhere near there.
I recived this mail today 8 february, 2012
Dear Customer,
FLIGHT NUMBER AA430
ELECTRONIC 9756475
DATE & TIME / FEBRUARY 18, 2012, 11:21 PM
ARRIVING / St.Louis
TOTAL PRICE / 345.11 USD
Your bought ticket is attached to the letter as a scan document.
To use your ticket you should print it.
Thank you for your attention.
American Airlines.
Yawn, got another one of these today, heading for Lexington.
The disturbing thing is that again it has bypassed my anti-virus. It must be really easy to modify viruses to bypass AV now. This one is currently recognized by 8 of 43 engines. Seems like Sophos is often earlier than others in catching these…
In Ireland now I got the airline Virus today 10/2/12 as I had just purchase two flights thinking it was from the airlines confirmig the flights.It deleted everything ,I tried all of the above un hiding safe mode etc etc looks lie a years work down the tubes.
excuse the spelling mistakes so bl..dy angry
Paul, don’t give up on recovering your data just yet. If you’re not having any luck yourself, ask friends/associates until you find a good computer consultant. Let us know how it goes.
My poor parents got it today, I’m glad they called me before trying to open up anything, although, they thought I had been cheeky and booked a flight on their credit card!
Dear Customer,
FLIGHT NUMBER AA888
ELECTRONIC 9294839
DATE & TIME / FEBRUARY 20, 2012, 07:25 AM
ARRIVING / Grand Prairie
TOTAL PRICE / 211.22 USD
Your bought ticket is attached to the letter as a scan document.
To use your ticket you should print it.
Thank you for using our airline company services.
AA customer services.
I got the same email and my computer completly crashed… It’s asking for a credit card number. Any suggestions to get my files back or do I need to purchase a new computer??
Marianna, under no circumstances should you give it your CC number. There are lots of suggestions on recovering your computer–see the “Update” in the original post, above, to find relevant comments. If you’re not comfortable doing it yourself, find a reputable computer consultant.
Just got this one today, so its still doing the rounds. Thanks so much to everyone for the info here…it always helps to be able to google e.g ‘American Airlines Email Scam’ to then find all the information you need to know! Cheers! Jen in Brisbane Australia!
I unfortunately traveling and the date just happened to match my departure date, so I opened it and it did as stated above. I immediately found my “system restore” and restored my computer to an earlier date. It took a very long time but it worked. I was so scared that I had lost everything. I wish anyone who is unfortunate enough to open this file the best of luck and I hope this is helpful to them.
I just got this today – I’m surprised the virus checkers are not picking his up.
Got one today to Miami for Feb 19
My husband travels a lot and he was planning a trip for our anniversary this year but I was very suspicious with the date being so close so didn’t open it.
Went on the AA site but didn’t see anything about the hoax.
It got through all our security on my laptop so I’m annoyed about that. what’s the point of the security when I’m getting this and loads of other stuff this last few weeks.
Got this one today… Thanks to this post I saved an ear full from my wife…. : ) I thank you all very,very, much….!!!! ; )
Dear Customer,
FLIGHT NUMBER AA645
ELECTRONIC 9354481
DATE & TIME / FEBRUARY 22, 2012, 11:21 PM
ARRIVING / Aurora
TOTAL PRICE / 411.11 USD
Your bought ticket is attached to the letter as a scan document.
You can print your ticket.
Thank you
American Airlines.
As I was just flying with AA I opened my ticket attachment and this scam got me last Thursday and trashed all my files. After a few moments of horrible chaos a screen appeared offering to stop everything if I gave my credit card info. I did not do this but stopped it with System Restore but it was too late. I got to spend all day Friday rebuilding my system, files, etc. Luckily I had just backed everything up onto a DVD a few weeks before so liitle was lost but time.
I hope the jerks behind this get what is coming to them in this life or the next.
A customer just got this virus, and now All she gets is a black screen saying missing Operating System. The files are there, because when I booted to Hirem’s CD, I could see them. The Windows 7 CD could not fix the startup issue, could not even see the operating system.
Could this virus have changed the active partition?
If so, how does one change it back?
Thanks
Eliot, this is the first I’ve heard of boot issues but who knows what virus these guys are hanging on this email. You might have a rootkit, or maybe it changes the type of partition so Windows can’t see it. If you’re using Hirem, I assume you’re pretty technically savvy. If you must get the computer back to its previous state, I believe the folks at http://www.bleepingcomputer.com can help you diagnose and repair it. But it might be faster to just boot from Hirem, copy the user files to an external drive, wipe the drive including boot sectors (maybe Boot & Nuke), and re-install Windows.
I have open the same file what is really weird it’s that my two computers and two I phones are been remotemonitoring they went into my apartment and took the serial numbers of my two laptops I been trying a lot of things I got the ip addresses but the more I try to fix it I think the more they learn.. What can I do???
so, if this has been going on for so long, how come i got it tonight in my inbox – did not open of course – (but always worried about mom if she thinks her credit card was hacked.) My trip was to Aurora. I don;t even know where that is. fortunately my cc’s are maxed out so no worry for me. What I want to know is if this has been going on for months, why is it still getting past antivirus’s. I have avg. no virus found.
that’s scarey. looks like if they put their minds to something that doesn’t matter, they can accomplish anything. Too bad they don’t just become math geniuses and do something productive for the world.
I got the same email today only with a March 7 date and the city “Columbus.” Thanks.
betty a – my hunch is that they are changing the virus so it continues to gets past anti-virus programs.
Also received an email (16 March 2012), coming from “American Airlines” (report-nr162 @ aa.com)”… I immediately suspected a virus, as I never ordered a ticket with AA, a confirmation mail would normally be sent with the full name of the passenger (not just “Dear Customer), there’s NO departure field and the attached file name is just a little too simple (“Ticket_American_Airlines_pdf.zip”). The whole email actually looks too simple to me (no html used, no pictures)…
This was the full text:
Dear Customer,
FLIGHT NUMBER AS1011
ELECTRONIC 6191485
DATE & TIME / MARCH 29, 2012, 10:36 PM
ARRIVING / Milwaukee
TOTAL PRICE / 232.32USD
Please find your ticket attached.
You can print your ticket.
Thank you
American Airlines.
Attached file: Ticket_American_Airlines_pdf.zip
Glad I was able to understand the danger of this mail and to find more info here on the website…
Having recently retuned from the U.S (i live in the UK) I recieved this email yesterday.
Thankfully i didn’t open it. I googled it first & checked AA’s airline timetable:
Dear Customer,
FLIGHT NUMBER AA8019
ELECTRONIC 3761962
DATE & TIME / MARCH 20, 2012, 10:55 AM
ARRIVING / Oceanside
TOTAL PRICE / 248.48USD
I received this email today:
Hello
FLIGHT NUMBER AA3928
ELECTRONIC 8828759
DATE & TIME / MARCH 23, 2012, 10:33 PM
ARRIVING / New Orleans
TOTAL PRICE / 237.37USD
Your ticket is attached.
To use your ticket you should print it.
Thank you for your attention.
American Airlines.
I’ve just received this same American Airlines e-ticket and as it didn’t have a departure airport, I was suspicious and deleted it.Difficult to go on this flight if you’ve got nowhere to fly from!
The ticket was for somewhere I’d never heard of. Shame I didn’t get New York or Chicago! Then I googled it ( wrong way round really ) and found this, It’s good to know there are good guys out there giving the right advice which is, delete it! I’m so glad I did.
my wife just received similar email: zip file attached. Her “free” ticket was to Amarillo, TX?! Not too suspicious, lol.
I feel for everyone who has had problems from this.
Stay vigilant people.
Thanks for the info, OP.
[...] a new variation on the airline ticket virus email that I reported on last November. An email supposedly from the United States Postal Service says [...]
Dear Customer,
TICKET NUMBER / 1 193 1090373421 1
SEAT / 35A/ZONE 2
DATE / TIME 22 JUNE, 2012, 10:29 PM
ARRIVING / Tampa
FORM OF PAYMENT / CC
TOTAL PRICE / 115.15 USD
REF / EK9330 ST / OK
BAG / 1PC
Your ticket is attached.
To use your ticket you should print it.
Thank you
American Airlines.
got it today for a flight tomorrow to riverside, where is riverside? since i’m poor and don’t fly, i just checked to see what the attachment was and it was a zip file so i quickly deleted it, and seleted it out of my trash box too.
Dear Customer,
TICKET / 3 303 1387394236 3
SEAT / 37A/ZONE 1
DATE / TIME 17 JUNE, 2012, 10:31 PM
TODAY JUN 10, 2012 I HAVE RECEIVED THE VIRUS WITH ATTACHMENT, SO I LIVE IN MEXICO AND NEVER BEEN IN CLEAVELAD…SO THE JACKER NEVER MIND IN THIS,….
ARRIVING / Cleveland
FORM OF PAYMENT / CC
TOTAL PRICE / 371.71 USD
REF / KE1431 ST / OK
BAG / 2PC
Your bought ticket is attached to the letter as a scan document.
To use your ticket you should print it.
Dear Customer,
FLIGHT NUMBER A59-264
DATE & TIME / JUNE 22, 2012, 10:117 PM
ARRIVING: NEW YORK JFK
TOTAL PRICE : 422.34 USD
Please download and print out your ticket here:
DOWNLOAD
Amercian Airlines{br[1-5]}
Well I got hit, stupidly got fooled. opened the attachemnt (winzip) and insidde were a folder and a adobe? read file. I clicked the read file and it just disapeared, nothing happened, i clicked the file and there were multiple sub folders with gibberish in it. I ran avg and nothing, i ran my spyware program (i believe its called spyzilla) and nothing, No folders disapearing, Ill go home and see if i can get my mallibytes program to work but i wonder if i dodged a bullet?
Jason, you could well be infected even if the programs aren’t picking it up yet. Update your anti-virus program every day and scan every day for at least a week. I use Microsoft Security Essentials for real-time protection and automatic daily scanning, and I additionally run manual scans with Malware Bytes when I am worried about an infection.
My wife ordered a plane ticket and I opened the ticket (wrong airline) and got the virus. It disables my Microsoft Security Essentials. I tried to restore to earlier version but it will not let me. I loaded my Windows 7 disc before I left for work this morning and loaded my Microsoft Security Essentials and let it do a full scan. I hope I have good news when I get home this after noon.
Jack
I updated my AVG, Stop Zilla, and loaded malawarebytes. I ran all 3. interestingly AVG didnt catch anything but stopzilla found about 4 trojans and malawarebytes found another 3. Deleted them all, reloaded windows, ran both programs again and came back clean. I waited a few days and ran again with the same results so i think I took care of it. Deffently a tricky bastard and I learned a lesson.
I got the email today.
Dear Customer,
TICKET NUMBER / 3 596 1224304576 3
SEAT / 73E/ZONE 1
DATE / TIME 28 OCTOBER, 2012, 10:59 AM
ARRIVING / New Orleans
FORM OF PAYMENT / CC
TOTAL PRICE / 337.37 USD
REF / OE7710 ST / OK
BAG / 4PC
Your ticket is attached.
To use your ticket you should print it.
Thank you for your attention.
American Airlines.
The sender was, [removed]
I didn’t open the .exe file named: AA_TICKET.ZIP
I got the email today:
Dear Customer,
E-TICKET / 3 950 1259853817 3
SEAT / 37A/ZONE 3
DATE / TIME 22 OCTOBER, 2012, 10:40 PM
ARRIVING / Yonkers
FORM OF PAYMENT / CC
TOTAL PRICE / 355.55 USD
REF / EF4440 ST / OK
BAG / 3PC
Please find your ticket attached.
To use your ticket you should print it.
Thank you
American Airlines.
I received this today, it bypassed all my security. It just seemed to strange to open it, googled AA email spam and found this confirmation, thanks!
Dear Customer,
TICKET / 1 666 1313956328 1
SEAT / 49F/ZONE 2
DATE / TIME 26, DECEMBER, 2012, 10:26 PM
ARRIVING / Lexington
FORM OF PAYMENT / CC
TOTAL PRICE / 184.84 USD
REF / OE9006 ST / OK
BAG / 5PC
Your ticket is attached.
To use your ticket you should print it.
Thank you
American Airlines.
Got this today. Knew it was fishy, in particular when the date of flight has already passed.
It’s Nov. 10, 2012 today and the info states June 24, 2012. Had to google it to make sure.
Thanks!
To open archive pleace use this password: AATicket Dear Customer,
TICKET / 2 298 1044938503 2
SEAT / 10A/ZONE 2
DATE / TIME 24 JUNE, 2012, 10:32 AM
ARRIVING / Colorado Springs
FORM OF PAYMENT / CC
TOTAL PRICE / 262.62 USD
REF / KE4854 ST / OK
BAG / 5PC
Your bought ticket is attached.
You can print your ticket.
To open archive please use this password: ticket6