http://www.virustotal.com/file-scan/report.html?id=66cadcb4868024bb51e2bcbb58640930063059d21b3b90f44f8bc67e55e306fc-1323200816

Notification,
FLIGHT NUMBER 980
ELECTRONIC 555708863
DATE & TIME / DECEMBER 15, 2011, 12:54 PM
ARRIVING / NEW YORK JFK
TOTAL PRICE / 411.12 USD

Please find your ticket attached.
You can print your ticket.

Thank you for your attention.
American Airlines.

Type Mode/Class Details (Path/Message/Protocol/Hostname/Qtype/ListenPort etc.) Process ID Parent ID File Size
Mutex Imagepath: C:\exec\malware.exe 1872
API Call Kernel32 API Name: WaitForMultipleObjectsEx Address: 2011137537
Params: [2, b2ff6c, 0, 300000, 1]
Imagepath: C:\exec\malware.exe 1872
API Call Kernel32 API Name: SleepEx Address: 4200124
Params: [-1, 1]
Imagepath: C:\exec\malware.exe 1872
Process Started C:\WINDOWS\system32\svchost.exe
Packed: no GUI: no
Parentname: C:\exec\malware.exe
Command Line: svchost.exe 144 1872
Malicious Alert Anomaly Tag Message: Startup behavior anomalies observed Detail: A new process has been launched
Process Terminated C:\exec\malware.exe
Parentname: C:\WINDOWS\system32\cmd.exe 1872 1812
Mutex \BaseNamedObjects\SHIMLIB_LOG_MUTEX 144
Mutex Imagepath: C:\WINDOWS\system32\svchost.exe 144
Mutex \BaseNamedObjects\92E56D8195A9DD45A9B90AACF82886B19C14F6C5 144
File Created C:\Documents and Settings\Administrator\Application Data\csrss.exe 144
Malicious Alert Misc Anomaly Message: Well-known EXE/DLL created/modified Detail: Malware creating/modifying well-known EXE/DLL
File Close C:\Documents and Settings\Administrator\Application Data\csrss.exe
MD5: 331226a7ea653a44ab2829eb18fc1e48
SHA1: d7f6b6f37e7ea6fe50d49daec2cbe09d84ae13b3 144 49152
File Delete C:\exec\malware.exe
MD5: 331226a7ea653a44ab2829eb18fc1e48
SHA1: d7f6b6f37e7ea6fe50d49daec2cbe09d84ae13b3 144 49152
File Hide C:\Documents and Settings\Administrator\Application Data\csrss.exe
MD5: 331226a7ea653a44ab2829eb18fc1e48
SHA1: d7f6b6f37e7ea6fe50d49daec2cbe09d84ae13b3 144 49152
Malicious Alert Misc Anomaly Message: System file hiding observed Detail: Malware hiding exe/dll/sys file
File Open C:\Documents and Settings\Administrator\Application Data\csrss.exe
MD5: 331226a7ea653a44ab2829eb18fc1e48
SHA1: d7f6b6f37e7ea6fe50d49daec2cbe09d84ae13b3 144 49152
File Date Change C:\Documents and Settings\Administrator\Application Data\csrss.exe
MD5: 331226a7ea653a44ab2829eb18fc1e48
SHA1: d7f6b6f37e7ea6fe50d49daec2cbe09d84ae13b3 144 49152
File Close C:\Documents and Settings\Administrator\Application Data\csrss.exe
MD5: 331226a7ea653a44ab2829eb18fc1e48
SHA1: d7f6b6f37e7ea6fe50d49daec2cbe09d84ae13b3 144 49152
Regkey Added \REGISTRY\USER\S-1-5-21-527237240-1580818891-725345543-500\Software\Microsoft\Windows\CurrentVersion
\Policies\Explorer\Run 144
Regkey Setval \REGISTRY\USER\S-1-5-21-527237240-1580818891-725345543-500\Software\Microsoft\Windows\CurrentVersion
\Policies\Explorer\Run"JavaSoft" = C:\Documents and Settings\Administrator\Application Data\csrs
s.exe 144
Malicious Alert Misc Anomaly Message: Windows explorer settings tampered Detail: Malware modifying windows explorer settings
Network Dns Query Protocol Type: udp Qtype: Host Address Hostname: www.google.com
Imagepath: C:\WINDOWS\system32\svchost.exe 144
Network Dns Query Answer IP Address: 199.16.199.2 Hostname: www.google.com
Imagepath: C:\WINDOWS\system32\svchost.exe 144
Network Connected Protocol Type: tcp Destination Port: 80 IP Address: 199.16.199.2
Imagepath: C:\WINDOWS\system32\svchost.exe 144
Malicious Alert Misc Anomaly Message: Network outbound communication attempted Detail: Malware attempting connections via standard ports
End Of Report

Yep, razoreqx, thanks for the heads-up on this scam spam. Also been described here;
http://www.scamtrends.com/american-airlines-your-order-has-been-completed/
link source: scam trends from scam watcher
So scam spam mail with a malicious payload…

polonus

Thanks Polonus and sorry for the dupe. I saw that after I had posted on VT.

Cheers!