Today I received an email supposedly from American Airlines with an Zip file attachment:
If you open the zip file, you’ll see what looks like a Word document:
However if you go to Windows Explorer and uncheck “Hide extensions of known file types,” you’ll see that it is actually an executable file:
Don’t run it! That means don’t double-click on it to “open” it. It’s got to be a virus.
The scary thing is that this virus was delivered directly to my Outlook inbox. It got past Forefront security on Office 365, and my up-to-date VIPRE anti-virus does not flag it as a virus. When I submitted it to www.virustotal.com, only 1 of 42 engines currently recognized it as a virus.
As usual: if you don’t recognize the sender, or are not expecting the email, don’t open the attachment!
Update January 16 and 19, 2012: Several people have asked how to remove this virus, the main effect of which is apparently to hide (but not delete) files on your computer. Thanks to the several posters who have offered suggestions. For example, see these comments below:
- December 16, 2011 – Susan Green
- December 16, 2011 – Michael
- January 6, 2012 – Teresa
- January 16, 2012 – Shea
- January 19, 2012 – Bob
- January 19, 2012 – Mark
Use these procedures at your own risk! If you’re not comfortable with the procedures and especially if you don’t have a good backup of your files, find a professional to help.
Just noticed that in all the examples submitted, not a single one lists a departing city. When have you ever received a flight confirmation that didn’t list the from AND to airports? Of course if they put that in there, it would make the fraud more obvious, since they would be unlikely to list your local airport.
I received mine the other day. Apparently I was traveling to Newark on 1/13/12. I’m glad I didn’t open it. Thank you all for the heads up.
I’d suffered the results of the virus since I’d scheduled a flight on American Airlines and assumed the email was legitimate without reading details before opening the attachment. My computer specialist was able to recover my primary desktop but not the JPG photos on my pocket hard drive. Is there a good way to recover these?
Nick, if they really are just hidden files, as some have suggested above, you should be able to turn on hidden files in Windows Explorer to see the files, then change the files attributes (remove the “H” hidden flag) to unhide them. Here are a couple relevant articles:
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/
http://www.cypherhackz.net/archives/2009/04/06/files-hidden-by-virus-how-to-unhide-them/
I got this too and it got past all of my security
I sent it on to American Airlines over a week ago
not heard a thing from them
they obviously dont give a $%*t
I just got this today… glad i seached. my Avast antivirus wont let me open the zip. it says it contains trojan virus.
Afternoon all,
Currently living in England and due to fly to New York for a 5 day break next week , was suprised to see this in my email box thought it was my real ticket as my mum has sorted the flights out , i really thought she has just got the airline to forward the ticket to me!!….thanks to all your comments i deleted it and no virus infected anywhere! :) x
All I have to say is that you people do a great act of charity by saving a lot of people a lot of heart ache! I received the email…was suspicious so I opened it with my IPAD instead of my home PC. I even opened the zip file but the file informed me that it could not be opened in DOS mode…it appeared to be a. EXE file…so I deleted all the files associated with the email…looked at you blog realized I should have looked up the possibility of this being a virus before ever opening it even on the IPAD. Thanks again !!!!
The damn virus still going around, luckliy my spyware caught it. They should lock those people up with nothing better to do. Do some good for the world instead of infecting people’ s computer. What a waste of talent.
It IS still going around! My mom’s computer has a virus or something, we know that, and I’m going to run Malwarebytes and some other stuff on it this weekend. But last week, my sister and her husband, who live in Chicago, were leaving and had checked in for their American Airlines flight using our mom’s computer the night before. Later that same night, our mom received an official looking email regarding a flight she supposedly had booked for Chicago! Makes you wonder if someone is monitoring my mom’s computer activity! How was it that it knew to send an email about a flight to Chicago and not JFK or some other city??
how do i restore my missing files?anyone
scarrlitte, good question. You’re the first to mention the possibility of a targeted campaign. It’s probably a coincidence, but post back if your scans turn up any nasties on her computer!
John, check the comments above dated 12/16/2011 and 1/16/2012 for suggestions. Use at your own risk. If you’re not comfortable with the procedures and especially if you don’t have a good backup of your files, find a professional to help.
I also received this today. @ weeks ago we had a $400 charge on one of our debit cards in England so needless to say, it freaked me out thinking it has happened again. I got as far as the step before opening attachment and thought…wait a minute, better google this just in case. Thank God everyone posted, Thank You. Next step….sending it on to AA.
Scarrlitt….very good question. I have not been on any airline websites but, I live in Tn and originally from Wa. state. If I were to visit, I would fly into Spokane, which is exactly where they said this ticket went to. Coincidence? How many here that have posted have the “same” coincidence?
I received last night on mail. but why my ticket more than very expensive :)
Dear Customer,
FLIGHT NUMBER A445
ELECTRONIC 385366975
DATE & TIME / JANUARY 30, 2012, 12:44 AM
ARRIVING / Philadelphia
TOTAL PRICE / 324.22 USD
Please find your ticket attached.
You can print your ticket.
Thank you for using our airline company services.
American Airlines.
Got one this morning.
Wow
I received one of these today (I’m off to Pittsburgh apparently). Was somewhat suspicious but as the attachment claimed to be a.MIM file rather than a .exe or .zip and such file extensions appeared to be safe according to fileinfo.com, I tried to open it. Luckily my PC wouldn’t open it without choosing a program to open it with. I assume, the senders could have changed the file type to disguise that it was a .exe or zip file?
Have done a full system scan with Norton and found nothing so hopefully I have had a lucky escape.
Received one this morning going to Anaheim. I opened thru my blackberry & couldn’t click the link. Thank goodness I kept it away from my computer. Thanks for all of the info :)
Ryan, looks like Winzip and even Outlook opens .mim (MIME) files. I bet if you had one of those installed, as many people do, it would have opened to reveal an executable, which if clicked would have installed the virus. Yes, a lucky escape! http://www.fileinfo.com/extension/mim
I just got this email, thankfully I googled it…
Dear Customer,
FLIGHT NUMBER A842BA
ELECTRONIC 566801615
DATE & TIME / JANUARY 26, 2012, 12:44 PM
ARRIVING / Tacoma
TOTAL PRICE / 389.35 USD
Your bought ticket is attached to the letter as a scan document.
You can print your ticket.
Thank you
American Airlines.
Just got this email this morning. I was almost fooled…I had used credit card online last night…therefore shitting bricks when I saw this American Airlines email ticket confirmation this morning. Ya it has a ZIP file. Apparently a trojan.
phew.
I like sticking together. Thanks guys.
Cheers
kirsten
It tricked me because I actually have a flight coming up on American Airlines. Luckily AVG caught it and warned me that it contained a trojan. I hate bastards that send viruses!
Macs Rule!! just got this email today, opened the zip file with my Mac and found out it was an .exe, I started surfing google and found this, Thanks for the posts
I got this sneaky virus.
I fixed it with the above post at the http://www.bleepingcomputers.com software fixes.
Running ComboFix in safe mode, then Malwarebytes anti-malware, then ComboFix a second time to get all my icons and files back.
Then run any and all other antivirus to clean it up.
Your files are not erased, just all cometely hidden. Then another fake antivirus posts that you have critical errors and asks you to purchase to fix. Do not listen to this windows looking alert.
Anyways scroll up and follow the directions. It took me hours to get this done due to the many scans needed and ComboFix is a slow process but it worked. Be patient with it.
i always knew it was a virus but if not i might be flying to texas Lol
Dear Customer,
FLIGHT NUMBER AA522
ELECTRONIC 510833740
DATE & TIME / JANUARY 29, 2012, 12:44 PM
ARRIVING / Grand Prairie
TOTAL PRICE / 333.32 USD
Your bought ticket is attached to the letter as a scan document.
To use your ticket you should print it.
Thank you
American Airlines.
Received the same email in my junkmail, but didn’t open the attachment. The flight referenced Bakersfield, but everything else was the same. It doesn’t even look like an email American Airlines would send.
Thanks so much, I knew it had to be a scam, but like a lot of you thought someone had maybe stolen my credit card details.
Content-Type: text/html;
Content-Transfer-Encoding: 8bit
Hello
FLIGHT NUMBER AA452
ELECTRONIC 825541721
DATE & TIME / JANUARY 28, 2012, 12:44 PM
ARRIVING / Arlington
TOTAL PRICE / 399.32 USD
Your bought ticket is attached to the letter as a scan document.
You can print your ticket.
Thank you
American Airlines.
I just checked the message source looks very similar.
It passed my virus protection
Hi! A friend opened the file and I restored the PC to a last restoration point but unfurtunately almost all files and progrmas were gone. I ran ubuntu from a USB stick and all the files were there, I could backup them and re-install windows. Was not the best solution but I could get my files back!!!!
Please let me know if there is a way to fix it without re-isntalling thanks !!!
I clicked on this american airlines email on my mac, but did not open any attachments in it. Now, when I log into Safari, the top Yahoo topic is porn. Did this happen to anyone else? Also, any ideas on how to remove it from a mac?
Ab – there are several comments on removal above.
Jeff – not a Mac user but it seems unlikely you got a real virus. Maybe it (or something else) changed your Safari home page or favorites? Also check your DNS settings in the Mac and in your router–seems like I’ve heard of viruses that can hijack the DNS so search results (for example) would return illegitimate sites. You should be using DNS IP addresses from your ISP, or maybe a reputable third party like OpenDNS.
CAN SOMEONE PLEASE GIVE ME A DETAIL STEP BY STEP TO REGAIN MY LOST FILES THANK YOU ANYTHING WOULD BE APPRECIATED
Several people have asked how to remove this virus, the main effect of which is apparently to hide (but not delete) files on your computer. Thanks to the several posters who have offered suggestions. For example, see these comments above:
December 16, 2011 – Susan Green
December 16, 2011 – Michael
January 6, 2012 – Teresa
January 16, 2012 – Shea
Use these procedures at your own risk! If you’re not comfortable with the procedures and especially if you don’t have a good backup of your files, find a professional to help.
This is a pretty nice virus as it is fixable but it’s a little tricky to do. Firstly just so you all know I did not open the file, it was my mothers laptop who had clicked on it thinking it was a ticket for something booked recently, exactly the people the spam emails were after.
To start I told my mum to turn off the computer urgently. In this case it was 10 minutes after infection so the virus had not run its full course. I then took out the hard drive from the laptop and connected it to my PC. This is to isolate the drive and stop the virus spreading or making the virus files read only. I then run Malwarebyte (a free malicious software scanner available by typing the name in google) on the hard drive to clear up the virus.
Once it had destroyed the .exe file and all the software from running I put the hard drive back in the laptop. I then booted in safe mode (by pressing F8 before the windows splash screen and selecting safe mode) and performed a system restore to before the file was clicked.
This then allowed the computer to boot up as normal but for some reason a load of files were hidden mainly the picture folder so what the virus was doing I can only take a guess. So right click on the picture folder and go to properties and un tick hide. Or you can make hidden files visible by going into tools/folder options and one of the tabs, I can’t remember off the top of my head, to find the files it has hidden.
I then for good measure installed malwarebytes on the laptop and run it to destroy the last of the virus. The laptop is back up and running now with no loss of data and performance back to pre-virus.
Instead of trying to take the hard drive out you could try a system restore in safe mode and then install malwarebytes to kill the files on your hard drive. I did it a long winded way as the photos on the laptop were mainly not backed up and I wanted to make sure they were not lost.
Hope this can help some people.
Thank you Mark!
Mine was to San Diego !
Well, I got one as a PDF and my husband opened it. I had to do a complete System restore from my Windows CD. It bypassed both the antivirus on my email server (1and1) and AVG. It still isn’t showing after a scan by both AVG and Norton. It came as a PDF and from what I can gather, it’s a scam to make you sign up and pay for some sort of software that “fixes” all the “faults” it finds on your computer. It gives you a whole list of stuff that is supposedly dangerous (overheating CPU etc) and it’s all rubbish. It also makes it look like the boot sector has failed and the hard disk is unreadable, which is just silly as the operating system is still working! It’s the first time in 15 years that I have been caught out like this and I am fuming. I would castrate these malicious kiddies if I could get my hands on them.
Thanks for info I recieved this today but going to corpis christie.
So…I have tried to repair my computer based on the suggestions above. My issue is that none of my programs show up when I go to “Start” and “All Programs.”
If you get rid of the infection by using Malwarebytes or your installed anti-virus program but your documents still don’t show up you can use the attrib command to unhide them.
Open a command prompt by holding down the “Flag” key and pressing “R” or Start>Run and type cmd. Hit enter to get a command prompt. Type the following to unhide all your documents:
(Windows 7) attrib -s -h -r c:/users/{username}/documents/*.* /s /d
(Windows XP) attrib -s -h -r “c:/documents and settings/{username}/my documents/*.*” /s /d
Substitute your user name for {username}. XP requires the quotes. Windows 7 will require quotes if your user name has a space in it.
If your Windows 7 libraries are missing, go to the start globe and click on Computer. Drop down the Organize tab. Click on Folder and Search Options. Click on the View tab. Click Show hidden files, folders, and drives. Click OK. Navigate to C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Libraries. Right click on each library folder and left click on Properties. In the General tab, make sure the Hidden box is unchecked.
Thanks Bob, that should help some folks. I think I might recommend starting with just the -h parameter to remove the Hidden attribute:
(Windows 7) attrib -h c:/users/{username}/documents/*.* /s /d
(Windows XP) attrib -h “c:/documents and settings/{username}/my documents/*.*” /s /d
Removing the System (-s) and Read-Only (-r) attributes (e.g. from thumbs.db files) might mess with certain functionality. On the other hand, if the virus sets *every* file to System and Read-Only, you won’t have much choice but to remove those attributes as well.
I got this email today again, I got it 2 weeks ago but luckily Kaspersky picked it up as a virus.
I wish I knew who sent these as I would gladly shove it right up there arses!!!
This one is still out there. Got through my Google yesterday.
My wife opened this darn thing yesterday. I am by no means a computer guy, but I’ll try the fixes mentioned on here. It appears that my hard drive is deleted – the screen is blank except for the recycle bin, and no files are visible. Hope it’s true that my hard drive isn’t deleted, but just “looks” that way.
STeve
Hi Mark Berry! Thank you so much for the warning! I am writing from Germany, I received the mail also on January 20, 2012, my flight went to Shreveport, Louisiana. The attached file was simply named “Ticket.zip”. Thanks to you, I didn’t open it! Best regards, Hubert
Hubert, freut mich, wenn die Warnung auch in fernem Deutschland “ankommt”! Alles Gute – Mark
I received this in an email tonight, but because I wasn’t going
on a trip I checked my bank account and then the web. I flagged
this spam and never tried to open it on my iPad.
Dear Customer,
FLIGHT NUMBER AA429
ELECTRONIC 627696775
DATE & TIME / JANUARY 25, 2012, 11:52 PM
ARRIVING / Pittsburgh
TOTAL PRICE / 224.44 USD
Please find your ticket attached.
You can print your ticket.
Thank you for your attention.
American Airlines.
Hi the same thing happened to me and I opened in error. Everything seems all right and everything appears to be there and I have full access. I don’t know if anything is missing. I wlish I had looked this up on the net before opening it. I will run the Malwarebyte program suggested.
JUst got the email… be careful with those stupid dumb scammers!!
Hello
FLIGHT NUMBER A445
ELECTRONIC 767259715
DATE & TIME / JANUARY 23, 2012, 11:22 PM
ARRIVING / Newark
TOTAL PRICE / 382.34 USD
Please find your ticket attached.
To use your ticket you should print it.
Thank you
American Airlines.