Today I received an email supposedly from American Airlines with an Zip file attachment:
If you open the zip file, you’ll see what looks like a Word document:
However if you go to Windows Explorer and uncheck “Hide extensions of known file types,” you’ll see that it is actually an executable file:
Don’t run it! That means don’t double-click on it to “open” it. It’s got to be a virus.
The scary thing is that this virus was delivered directly to my Outlook inbox. It got past Forefront security on Office 365, and my up-to-date VIPRE anti-virus does not flag it as a virus. When I submitted it to www.virustotal.com, only 1 of 42 engines currently recognized it as a virus.
As usual: if you don’t recognize the sender, or are not expecting the email, don’t open the attachment!
Update January 16 and 19, 2012: Several people have asked how to remove this virus, the main effect of which is apparently to hide (but not delete) files on your computer. Thanks to the several posters who have offered suggestions. For example, see these comments below:
- December 16, 2011 – Susan Green
- December 16, 2011 – Michael
- January 6, 2012 – Teresa
- January 16, 2012 – Shea
- January 19, 2012 – Bob
- January 19, 2012 – Mark
Use these procedures at your own risk! If you’re not comfortable with the procedures and especially if you don’t have a good backup of your files, find a professional to help.
just received today
Thanks so much for everyones help. having my identity stolen several times I stupidly opened this one thinking someone had done it again. I NEVER open the darn things. Anyway I quickly realised that the files were only hidden luckily as I had just spent all weekend doing a tax return.But still cant get the main documents/photos etc icons to be in anything but feint type although I have the actual inserts in normal type with nothing hidden/ Any ideas?
My husband unfortunately opened the airline ticket attachment in AOL from his android cell phone. What should we do next?
Thank you everyone else who notified the public. I of course google’d the phrase “airline ticket virus” but was too late for my brilliant husband.
Glenda – maybe your files are still set as System or Read Only. Right-click on a file and check its attributes. See Bob’s and my comments on 1/19 re. changing attributes.
Jill – see my 12/30 comment re. Android.
thanks Mark, For example I have done that for all my documents and unchecked all the secret and read only boxes all all the documents are in normal type but it is the folder that is in light type! Still just so pleased that I have got this far!
Glenda – folders can have attributes, just like files. You may have to use the command prompt and the ATTRIB command to change all folder attributes. Also be sure to run Malwarebytes and/or other anti-virus programs to make sure you get rid of the actual virus.
Well… I got it… and opened it… and got screwed. I had no idea this dang thing was out there. Our computer is now at the shop being fixed. What a shame!
Is this the virus that is supposed to allow access into your bank accounts? I heard that there is a virus out there right now that comes from the “FDIC” which, if opened allows these jerks to drain your accounts.
MAKE IT STOP!
Not sure what is going on…I got it also and like a dummy I opened it. So I followed the leads from above and am trying to run the stuff from “bleeping computers” but it gets to the scan and runs for awhile ( like 20 mins ) and then it appears to stop..and just sits, won’t continue just sit’s and sit’s…
Has anyone else had this problem or know of a solution…I would really like to get this going if possible….
I ran Malwarebytes already and it only found (1) bad file…I found “tickets.exe” and removed it from win/prefecth..didn’t help…so now I’m in limbo..any help would be greatly appreciated.
Bob, see Shea’s comment on 1/16. Sounds like the scans may take hours.
i am saudi
I opened this email, unfortunately,
Download the attached file
And opened the program exe
Delete my files and programmatic and recovery
my laptop is sony vaio
I worked a system restore my files and I came back but was hidden
And then worked Recovery of the system by pressing the F-8
Woe to those who made this virus
thank you mr. mark berry
and
I am sorry for my bad English
bye ^___^
Unfortunately i got an email to fort worth,Tx.Thank you so much for suggestions posted but my question is if anyone can answer this please. So after the pc crashes and all files lost,sadly,is that all that happens or should i be concerned in that the crashing of the pc is a getway to any sites i have accessed on the pc like banking sites,loan sites etc that they scammers would be able to retrieve and use my information? like for example if i go online to pay a bill every month,use credit card to make that payment. Would they have access to that including passwords?thank you in advance
I just received the American Airlines email today (24th January 2011). Apparently I’m flying to Ontario.
So I got this email today and I opened it because I was going to new york but changed it to miami this past few dates so off course I opened it. So I turned it off then back on and pressed F8, chose safe mode in networking, control panel and had the back up. The thing is that I have two hard drives and the one with my important documents and it seems that they are there because it shows how many space is free but I can see them when I go inside the drive. I tried putting the antivirus and it seems as if it scans all the documents. I don’t have a back up of this disc drive so I can’t go back to its original phase as the other one. Can anyone please help me out?! Write to me to [email removed] I will acknowledge your help, thank you
i own my own computer repair company and i have a few tips for people. these tips are for windows 7 but can be adapted to other versions. im gettin about a call a day about this virus and this has been going on for a week. these tips are for getting your files off your computer before you start playing around
1. your files are not lost they are hidden same with your start menu. shut down your computer and start it in safe mode by hitting f8 and start in safe mode with networking
2. once windows is open in safe mode right click the task bar – then properties – then the middle tab “start menu”
3. once you are in the start menu tab click the “customize” button
4. now click use default settings or manually change them
now when clicking on the start menu you can use my computer again
5. click on my computer
6. click on organize – folder and search options
7. click view tab
8. click the radio button that says show hidden files folders and drivers and then ok
9. now when looking at your c drive right click the users folder – properties
10. uncheck the hidden box and when prompted chose to apply the setting to all sub folders
yeay you can see your files
11. pop in a flash drive and copy your documents just watch out for the app data that might be hiding the virus in some sub directories
beyond this every variant of this is a little different and you can pick your weapon of choice to try to remove it
hi there, have just recieved an email myself from american airlines saying i have bought a flight for 211 usd to houston! fab as im terrified of flying so pretty sure i wouldn’t have bought it myself! really glad to see that there are people that help identify stuff like this as i was really worried but googled it and found you lot! do not open it and let all your friends and family know not to open anything similar too.
Julie – I removed your email address from your comment for your own protection. (Publishing your email address online makes it easy for people to send you spam and viruses.) Jason’s comment right below yours may help you at least get a backup of your files. If you are still unsuccessful, you may need to contact a computer professional in your area for help.
Thanks Jason your instructions worked perfectly! I have my documents right back YEAY!
Mark, thanks, even though that email can only open in my blackberry ;) thanks anyway! This blog helped me with my problems! Woohoooooo!!!!
:D
j’ai aussi reçu ce mail de American airlines pour une destination vers Huntsville.
Je l’ai ouvert , parce que le vol etait le 19.janvier et que c’est la dâte de mon anniversaire.
Alors simple curiosité.
J’ai du faire appel à un professionnel pour essayer de réparer les dégats.
Ca va à peu près, sauf que je n’ai plus mes photos, ni fond d’ecran.
Plus d’autres trucs que je n’ai pas retrouvé.
Just got the email today. I didn’t open it but it is filtering through the free email accounts on mail.com now. They have pretty good filtering for spam, but this one went directly to my inbox.
Hopefully they send the writer of this virus to prison soon if he’s not already there…
“American Airlines”
Attachment (1)
Ticket.zip
Hello
FLIGHT NUMBER AB712
ELECTRONIC 6489864
DATE & TIME / JANUARY 26, 2012, 09:21 PM
ARRIVING / Oxnard
TOTAL PRICE / 177.11 USD
Your bought ticket is attached to the letter as a scan document.
You can print your ticket.
Thank you for using our airline company services.
American Airlines.
Follow Susan Green’s instructions. It took me about 3 hours total to correct my computer, and I found that I saved nearly 200 dolllars (I live in NYC area) that I would have needed for a professional to fix my computer. I decided to reprint them just in case you cannot find them….
Susan Green | December 16, 2011 at 3:33 pm
Just helped a co-worker with this. It appeared he lost everything but it was all hidden…
Here’s what I did to restore his PC:
Closed all open windows
Reboot in safe mode with networking
Because we couldn’t see IE – in search – put in Run and then iexplore.exe
Went to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and downloaded combofix – print all instructions first.
Ran combofix – after it was done the icons returned to the desktop
Went to: http://www.bleepingcomputer.com/virus-removal/remove-system-fix
Started with #7 and Downloaded malwarebites and ran it – found 3 items
Continued with #19 to unhide the icons
Rebooted as normal and PC was back to pre-virus state.
Good luck!
Heads up, folks. A very similar scam, this time pretending to be from FedEx:
https://www.mcbsys.com/blog/2012/01/new-fedex-virus-email/
New definitions are starting to catch it. Eset caught it on mine pretty early on.
Owen, are you referring to the airline virus or the FedEx virus? Updated definitions started catching the airline one within a few days in November but obviously a lot of people got it later. Maybe they swap out the virus from time to time. It seems it’s not hard to come up with a virus that gets past scanners for a few days.
I just got the American Airlines email in my junk folder. Knew it couldn’t be good so I’m sooo glad I googled before I opened it!!
Does it affect you if you open the e-mail? I did not open the attachment.
Brandon, no, it should only affect you if you open the zip attachment and open (run) the file inside the attachment.
Just received it! Thank heavens I did no more than open the mail! The last United trojan cost me big bucks to remove!!!
Got one today. The thing is, I’m flying with AA in a week’s time and nearly opened it. Then I said whoaa, my ticket is electronic, I shouldn’t be getting any printout. I read it carefully and it said I’m going to Dallas. Ha, nice try! I ain’t going anywhere near there.
I recived this mail today 8 february, 2012
Dear Customer,
FLIGHT NUMBER AA430
ELECTRONIC 9756475
DATE & TIME / FEBRUARY 18, 2012, 11:21 PM
ARRIVING / St.Louis
TOTAL PRICE / 345.11 USD
Your bought ticket is attached to the letter as a scan document.
To use your ticket you should print it.
Thank you for your attention.
American Airlines.
Yawn, got another one of these today, heading for Lexington.
The disturbing thing is that again it has bypassed my anti-virus. It must be really easy to modify viruses to bypass AV now. This one is currently recognized by 8 of 43 engines. Seems like Sophos is often earlier than others in catching these…
In Ireland now I got the airline Virus today 10/2/12 as I had just purchase two flights thinking it was from the airlines confirmig the flights.It deleted everything ,I tried all of the above un hiding safe mode etc etc looks lie a years work down the tubes.
excuse the spelling mistakes so bl..dy angry
Paul, don’t give up on recovering your data just yet. If you’re not having any luck yourself, ask friends/associates until you find a good computer consultant. Let us know how it goes.
My poor parents got it today, I’m glad they called me before trying to open up anything, although, they thought I had been cheeky and booked a flight on their credit card!
Dear Customer,
FLIGHT NUMBER AA888
ELECTRONIC 9294839
DATE & TIME / FEBRUARY 20, 2012, 07:25 AM
ARRIVING / Grand Prairie
TOTAL PRICE / 211.22 USD
Your bought ticket is attached to the letter as a scan document.
To use your ticket you should print it.
Thank you for using our airline company services.
AA customer services.
I got the same email and my computer completly crashed… It’s asking for a credit card number. Any suggestions to get my files back or do I need to purchase a new computer??
Marianna, under no circumstances should you give it your CC number. There are lots of suggestions on recovering your computer–see the “Update” in the original post, above, to find relevant comments. If you’re not comfortable doing it yourself, find a reputable computer consultant.
Just got this one today, so its still doing the rounds. Thanks so much to everyone for the info here…it always helps to be able to google e.g ‘American Airlines Email Scam’ to then find all the information you need to know! Cheers! Jen in Brisbane Australia!
I unfortunately traveling and the date just happened to match my departure date, so I opened it and it did as stated above. I immediately found my “system restore” and restored my computer to an earlier date. It took a very long time but it worked. I was so scared that I had lost everything. I wish anyone who is unfortunate enough to open this file the best of luck and I hope this is helpful to them.
I just got this today – I’m surprised the virus checkers are not picking his up.
Got one today to Miami for Feb 19
My husband travels a lot and he was planning a trip for our anniversary this year but I was very suspicious with the date being so close so didn’t open it.
Went on the AA site but didn’t see anything about the hoax.
It got through all our security on my laptop so I’m annoyed about that. what’s the point of the security when I’m getting this and loads of other stuff this last few weeks.
Got this one today… Thanks to this post I saved an ear full from my wife…. : ) I thank you all very,very, much….!!!! ; )
Dear Customer,
FLIGHT NUMBER AA645
ELECTRONIC 9354481
DATE & TIME / FEBRUARY 22, 2012, 11:21 PM
ARRIVING / Aurora
TOTAL PRICE / 411.11 USD
Your bought ticket is attached to the letter as a scan document.
You can print your ticket.
Thank you
American Airlines.
As I was just flying with AA I opened my ticket attachment and this scam got me last Thursday and trashed all my files. After a few moments of horrible chaos a screen appeared offering to stop everything if I gave my credit card info. I did not do this but stopped it with System Restore but it was too late. I got to spend all day Friday rebuilding my system, files, etc. Luckily I had just backed everything up onto a DVD a few weeks before so liitle was lost but time.
I hope the jerks behind this get what is coming to them in this life or the next.
A customer just got this virus, and now All she gets is a black screen saying missing Operating System. The files are there, because when I booted to Hirem’s CD, I could see them. The Windows 7 CD could not fix the startup issue, could not even see the operating system.
Could this virus have changed the active partition?
If so, how does one change it back?
Thanks
Eliot, this is the first I’ve heard of boot issues but who knows what virus these guys are hanging on this email. You might have a rootkit, or maybe it changes the type of partition so Windows can’t see it. If you’re using Hirem, I assume you’re pretty technically savvy. If you must get the computer back to its previous state, I believe the folks at http://www.bleepingcomputer.com can help you diagnose and repair it. But it might be faster to just boot from Hirem, copy the user files to an external drive, wipe the drive including boot sectors (maybe Boot & Nuke), and re-install Windows.
I have open the same file what is really weird it’s that my two computers and two I phones are been remotemonitoring they went into my apartment and took the serial numbers of my two laptops I been trying a lot of things I got the ip addresses but the more I try to fix it I think the more they learn.. What can I do???
so, if this has been going on for so long, how come i got it tonight in my inbox – did not open of course – (but always worried about mom if she thinks her credit card was hacked.) My trip was to Aurora. I don;t even know where that is. fortunately my cc’s are maxed out so no worry for me. What I want to know is if this has been going on for months, why is it still getting past antivirus’s. I have avg. no virus found.
that’s scarey. looks like if they put their minds to something that doesn’t matter, they can accomplish anything. Too bad they don’t just become math geniuses and do something productive for the world.
I got the same email today only with a March 7 date and the city “Columbus.” Thanks.
betty a – my hunch is that they are changing the virus so it continues to gets past anti-virus programs.
Also received an email (16 March 2012), coming from “American Airlines” (report-nr162 @ aa.com)”… I immediately suspected a virus, as I never ordered a ticket with AA, a confirmation mail would normally be sent with the full name of the passenger (not just “Dear Customer), there’s NO departure field and the attached file name is just a little too simple (“Ticket_American_Airlines_pdf.zip”). The whole email actually looks too simple to me (no html used, no pictures)…
This was the full text:
Dear Customer,
FLIGHT NUMBER AS1011
ELECTRONIC 6191485
DATE & TIME / MARCH 29, 2012, 10:36 PM
ARRIVING / Milwaukee
TOTAL PRICE / 232.32USD
Please find your ticket attached.
You can print your ticket.
Thank you
American Airlines.
Attached file: Ticket_American_Airlines_pdf.zip
Glad I was able to understand the danger of this mail and to find more info here on the website…
Having recently retuned from the U.S (i live in the UK) I recieved this email yesterday.
Thankfully i didn’t open it. I googled it first & checked AA’s airline timetable:
Dear Customer,
FLIGHT NUMBER AA8019
ELECTRONIC 3761962
DATE & TIME / MARCH 20, 2012, 10:55 AM
ARRIVING / Oceanside
TOTAL PRICE / 248.48USD