HSBC Email Virus removal guide
What is HSBC Email Virus?
"HSBC Email Virus" is another spam email campaign similar to ADP Invoice, Barclays Secured Message, Sage Invoice, and many others. This campaign is designed to distribute a trojan-type virus called TrickBot. The emails essentially state that the a money payment has not been processed and encourages users to open an attached MS Word document for more information. This is a scam - once opened, the attachment stealthily downloads and installs malware.
Firstly, HSBC is one of the largest banks in the world and has nothing to do with this spam campaign. Cyber criminals simply hide behind the name to trick unsuspecting users into opening the attachment. As mentioned above, the email states that a payment cannot be processed and encourages the user to open the attached document and perform a number of steps to resolve this issue. As mentioned, this is a scam. Cyber criminals use the names of legitimate companies and governmental agencies, since it is much simpler to trick users into opening files received from people or companies with familiar names (in this case, a large bank). TrickBot is a very dangerous virus. After system infiltration, it hijacks browsers and modifies visited websites so that entered logins/passwords are sent to a remote server controlled by TrickBot's developers. Therefore, cyber criminals might gain access to users' private accounts, including social networks, banks, and so on. Cyber criminals aim to generate as much revenue as possible, and so there is a high probability that these people will take advantage of any information obtained. Therefore, the presence of TrickBot malware can lead to serious privacy issues and significant financial loss. If you have recently opened attachments distributed via an "HSBC Email Virus" spam campaign, you should immediately scan the system with a legitimate anti-virus/anti-spyware suite and eliminate all detected threats.
There are many trojan-type viruses that share similarities with TrickBot (including, for example, LokiBot, Emotet, Adwind, and FormBook). As with HSBC Email Virus, these viruses are also distributed using spam email campaigns. In addition, most trojans are designed to record personal information. Some, however, proliferate other viruses (usually, ransomware). In any case, all pose a direct threat to your privacy and browsing safety.
How did HSBC Email Virus infect my computer?
As mentioned above, "HSBC Email Virus" distributes a malicious MS Word document. After opening this file, users are encouraged to enable macro commands (otherwise the content will not be displayed properly), however, this is a trick - by enabling macros, users allow the document to execute commands that stealthily download and install TrickBot. This distribution method, however, has a major flaw - documents are able to download malware only if the user opens them using the MS Word program. Therefore, if the file is opened using any other app, malware will not be downloaded. Furthermore TrickBot targets the Microsoft Windows Operating System only - if you are using another platform, you are safe.
How to avoid installation of malware?
Lack of knowledge and careless behavior are the main reasons for computer infections - the key to safety is caution. Therefore, it is very important to pay close attention when browsing the Internet. Think twice before opening email attachments. If the file seems irrelevant or has been received from a suspicious email address, it should never be opened. 2010 and newer MS Office versions are developed to open new documents in "Protected View" mode. This prevents download and installation of malware. Therefore, using old versions is risky. We also strongly recommend that you have a reputable anti-virus/anti-spyware suite installed and running. If you have already opened "HSBC Email Virus" attachment, we recommend running a scan with Spyhunter for Windows to automatically eliminate infiltrated malware.
Text presented in the "HSBC Email Virus" email message:
Subject: Important : Troubles processing BACs payment
We’re having troubles processing your request, we encountered an error processing your BACs payment.
What we need you to do
1. The documents are delivered through secure email via an attached file from HSBC. Please be aware this may be delivered to the spam folder.
2. When you open the document a message will appear saying the document requires phone verification. When you click the Send Code button, a code will be sent to your mobile phone.
3. Key that code in to the Code box on screen and select OK. You will now be able to complete the fields in the document as required.
4. Please note that the signature you upload needs to be a clear, current version of your standard signature which once added to the bank mandate can be used to authorise such account transactions as the paying away of funds.
5. Please ensure when you complete the form, that full names including any middle names are included.
6. When the final signatory has completed and signed the documents they will then be returned to me via secure email.
Transaction Processing Specialist | Operations BACs, Faster Payments, CDD | Email: James.Holand@hsbc.co.uk
Malicious attachment distributed via "HSBC Email Virus" spam campaign:
Second variant of "HSBC Email Virus":
Text presented within this email:
Subject: Incoming high value CHAPS payments
Good Morning ,
We received 2 high value CHAPS payments requests into the branch today.
Please complete and sign the attached documents and return for processing.
We require this information before we can release the payments to your account.
Olivia Brown BA (Hons) Cert (RBCB)
Business Banking and Wealth Management
HSBC BANK PLC HBEU
18 North Street, Leatherhead, Surrey KT22 7AR. South Region.
HSBC Bank plc
Registered Office: 8 Canada Square, London E14 5HQ
Registered in England – Number 14259
Authorised by the Prudential Regulation Authority and regulated by the
Financial Conduct Authority and the Prudential Regulation Authority
This E-mail is confidential
It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail.
Internet communications cannot be guaranteed to be timely secure, error or virus-free. The sender does not accept liability for any errors or omissions.
Screenshot of the malicious attachment proliferated using the second variant of "HSBC Email Virus":
Third variant of "HSBC Email Virus":
Text presented within this email:
Subject: Account Review
The account review files has been issued at the request of our customer, please download it from the link below:
Your documents have been encrypted with the strongest encryption and a unique key, please print and sign the attached document.
Global Payment and Cash Management
Screenshot of the malicious attachment proliferated using the third variant of "HSBC Email Virus":
Instant automatic removal of HSBC bank virus:
Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Spyhunter is a professional automatic malware removal tool that is recommended to get rid of HSBC bank virus. Download it by clicking the button below:
- What is HSBC Email Virus?
- STEP 1. Manual removal of TrickBot malware.
- STEP 2. Check if your computer is clean.
How to remove malware manually?
Manual malware removal is a complicated task - usually it is best to allow antivirus or anti-malware programs to do this automatically. To remove this malware we recommend using Spyhunter for Windows. If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here is an example of a suspicious program running on a user's computer:
If you checked the list of programs running on your computer, for example using task manager, and identified a program that looks suspicious, you should continue with these steps:
Download a program called Autoruns. This program shows auto-start applications, Registry, and file system locations:
Restart your computer into Safe Mode:
Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.
Video showing how to start Windows 7 in "Safe Mode with Networking":
Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.
Video showing how to start Windows 8 in "Safe Mode with Networking":
Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.
Video showing how to start Windows 10 in "Safe Mode with Networking":
Extract the downloaded archive and run the Autoruns.exe file.
In the Autoruns application, click "Options" at the top and uncheck the "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure, click the "Refresh" icon.
Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.
You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose "Delete".
After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, remove it.
Reboot your computer in normal mode. Following these steps should remove any malware from your computer. Note that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware removal to antivirus and anti-malware programs. These steps might not work with advanced malware infections. As always it is best to prevent infection than try to remove malware later. To keep your computer safe, install the latest operating system updates and use antivirus software.
To be sure your computer is free of malware infections we recommend scanning it with Spyhunter for Windows.