AT&T Email Virus

Also Known As: Hancitor trojan
Type: Trojan
Distribution: Low
Damage level: Severe

AT&T Email Virus removal guide

What is AT&T Email Virus?

Similar to FedEx Tracking Email Virus and eFax Email Virus, "AT&T Email Virus" is a spam email campaign that distributes the Hancitor trojan. Scammers send thousands of emails by presenting them as invoices and encouraging users to open attached Microsoft Office documents. Note that the documents are malicious and download and install Hancitor onto systems.

AT&T Email Virus malware

"AT&T Email Virus" campaign emails are presented as invoices from the AT&T company for wireless network services. Users must supposedly pay a certain sum of money, and for detailed information, must read the attached document. This is a scam. The opened file immediately downloads and installs malware. Be aware that AT&T is a legitimate company and has nothing to do with this spam campaign. It is very common for cyber criminals to hide behind the names of governmental agencies and legitimate companies. They do this to trick users into opening attachments - people are much more likely to open files received from familiar names. Hancitor is a high-risk virus designed to open "backdoors" for other malware (such as Pony) to infiltrate the system. The behavior of distributed viruses often differs. Depending on the virus, they might gather information, encrypt data, lock the computer, misuse system resources to mine cryptocurrencies, cause redirects to malicious websites, and so on. These chain infections can lead to significant financial/data losses and even identity theft. If you have recently opened "AT&T Email Virus" campaign attachments, there is a high probability that your computer is infected with the Hancitor trojan. Therefore, you should immediately scan it with a legitimate anti-spyware/anti-virus program and remove all detected threats.

There are many trojan-type viruses distributed using email spam campaigns. For example, TrickBot, FormBook, Adwind, and so on, however, unlike Hancitor, most of these trojans do not proliferate viruses. As mentioned above, they gather sensitive information, such as saved logins/passwords, visited websites, etc. In any case, trojan-type viruses pose a significant threat to your privacy and Internet browsing safety. All must be eliminated immediately.

How did AT&T Email Virus infect my computer?

"AT&T Email Virus" proliferates a malicious Microsoft Office document. After opening this file, users are presented with a message stating that they must enable macro commands, otherwise the content will not be displayed properly. Enabling macros simply grants attachments permission to execute commands that stealthily download and install Hancitor into the system. Although this distribution method is simple and effective, it has a major flaw. Malicious attachments are unable to download malware if the user opens them using applications that do not belong to the MS Office suite. For example, if the .doc file is opened in an app other than Microsoft Word, the malware will not be downloaded. Furthermore, this spam campaign targets the Microsoft Windows operating system and users of other platforms are safe.

How to avoid installation of malware?

Lack of knowledge and careless behavior are the main reasons for computer infections. Caution is the key to safety. Therefore, pay attention when browsing the Internet and downloading/installing software. Carefully analyze all email attachments received. If the file seems suspicious/irrelevant and has been sent by a dubious email address, you should never open it. Have a reputable anti-virus/anti-spyware suite installed and running. Note that newer versions (2010 and above) of MS Office were implemented with a feature that enables these programs to open newly-downloaded documents in "Protected View" mode. This prevents malicious attachments from infecting the system. Therefore, using older versions of MS Office is not recommended. If you have already opened an "AT&T Email Virus" attachment, we recommend running a scan with Spyhunter for Windows to automatically eliminate infiltrated malware.

Text presented in the "AT&T Email Virus" email message:

Subject: Your wireless invoice notification from AT&T
Your wireless bid is ready
Dear Customer,
Your monthly wireless invoice for your account in now available.
Due Balance: $338.95
View your monthly gill.
Thank you,
At&T online Services
att.com
Contact Us
Support - quick And easy assistance is accessible 24/7.

DO NOT REPLY TO THIS MESSAGE
2018 AT&T Property. All rights reserved. AT&T, the AT&T logo design and all other marks included here are logos of AT&T Property and AT&T related companies. Subsidiaries and affiliates of AT&T provide products under the AT&T brand.

Malicious attachment distributed via "AT&T Email Virus" spam campaign:

Malicious attachment distributed through AT&T Email Virus spam campaign

Hancitor trojan process ("Trainz") in Windows Task Manager:

Hancitor trojan in windows task manager

Other variants of AT&T Email Virus spam campaign letters that also distribute Hancitor trojan:

AT&T Email Virus proliferating Hancitor (sample 2)

Text presented within this email:

Subject: Your cellular bill notification

 

AT&T | Support | My AT&T User Account

Your individual wireless bill is all set to view

Dear AT&T Client,

Your monthly mobile bill for your account is now available.

Entire Balance Due: $315.04

 Please view your monthly bill here.
 
Thanks, AT&T Online Solutions
att.com

 

Contact?
AT&T Help and support - quick & simple help is available 24/7.

 

Make sure you don't respond to this communication.

2018 AT&T Property.

AT&T, the logo and all other AT&T brandmarks enclosed in here are art logos of AT&T Intellectual Property and/or.

AT&T related businesses. Subsidiaries of AT&T supply goods and services on behalf of the AT&T brand name.

Privacy

AT&T Email Virus proliferating Hancitor (sample 3)

Text presented within this email:

Subject: Your wireless bill notification from AT&T

 

AT&T | Help support | Manage my AT&T User account

Your personal wireless bill is all set to be viewed

Dear Client,

Your personal monthly wireless invoice for your account is available.

Entire Balance Due: $215.05

 See your monthly bill right here.
 
Thank you so much, AT&T Services
att.com

 

Contact?
AT&T Support - instant & easy help is available 24 hours a day.

 

Make sure you don't answer this email.

2018 AT&T Intellectual Property. All rights reserved.

AT&T, the brand and various other AT&T marks contained in this letter are logos of AT&T Intellectual Property and/or.

AT&T related organizations. Affiliates of AT&T supply services and products on behalf of the AT&T trademark.

Personal privacy

AT&T Email Virus proliferating Hancitor (sample 4)

Text presented within this email:

Subject: Your cellular invoice notification from AT&T

 

att.com | Help | My AT&T User account

Your individual mobile bill is ready to be viewed

Dear Customer,

Your regular cellular invoice for your user account is is ready to view.

Entire Balance: $615.04

 View your bill right here.
 
Thank you so much, AT&T Services
att.com

 

Let us know
AT&T support - instant And simple support is offered 24 hours.

 

Make sure you don't reply to this email.

2018 AT&T Property. All rights reserved.

AT&T, the logo design and all other AT&T brandmarks contained herein are art logos of AT&T Intellectual Property and.

AT&T associated companies. Affiliate marketers of AT&T supply services and products on behalf of the AT&T brand.

Privacy

AT&T Email Virus proliferating Hancitor (sample 5)

Text presented within this email:

Subject: Your wireless invoice notification from AT&T

 

att.com | Support | Manage my AT&T User account

Your individual cellular monthly bill is all set to be viewed

Dear AT&T Customer,

Your personal regular wireless invoice for your account is is ready to view.

Overall Balance Due: $219.03

 Please view your monthly bill right here.
 
Thank you so much, AT&T Online Solutions
att.com

 

Contact Us
AT&T Support - instant and very easy help is offered 24/7.

 

Please do not answer this letter.

2018 AT&T Property. All rights reserved.

AT&T, the company logo and various other AT&T brandmarks included in here are art logos of AT&T Intellectual Property and/or.

AT&T affiliated organizations. Affiliate marketers of AT&T Inc. provide services and products under the AT&T brand.

Personal privacy

Instant automatic removal of Hancitor trojan: Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Spyhunter is a professional automatic malware removal tool that is recommended to get rid of Hancitor trojan. Download it by clicking the button below:
▼ DOWNLOAD Spyhunter By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Spyhunter.

Quick menu:

How to remove malware manually?

Manual malware removal is a complicated task - usually it is best to allow antivirus or anti-malware programs to do this automatically. To remove this malware we recommend using Spyhunter for Windows. If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here is an example of a suspicious program running on a user's computer:

malicious process running on user's computer sample

If you checked the list of programs running on your computer, for example using task manager, and identified a program that looks suspicious, you should continue with these steps:

manual malware removal step 1 Download a program called Autoruns. This program shows auto-start applications, Registry, and file system locations:

screenshot of autoruns application

manual malware removal step 2Restart your computer into Safe Mode:

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

windows 10 safe mode with networking

Video showing how to start Windows 10 in "Safe Mode with Networking":

 

manual malware removal step 3Extract the downloaded archive and run the Autoruns.exe file.

extract autoruns.zip and run autoruns.exe

manual malware removal step 4In the Autoruns application, click "Options" at the top and uncheck "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure, click the "Refresh" icon.

Click 'Options' at the top and uncheck 'Hide Empty Locations' and 'Hide Windows Entries' options

manual malware removal step 5Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.

You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose "Delete".

locate the malware file you want to remove

After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the file of the malware, remove it.

searching for malware file on your computer

Reboot your computer in normal mode. Following these steps should remove any malware from your computer. Note that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware removal to antivirus and anti-malware programs. These steps might not work with advanced malware infections. As always it is best to prevent infection than try to remove malware later. To keep your computer safe, install the latest operating system updates and use antivirus software.

To be sure your computer is free of malware infections, we recommend scanning it with Spyhunter for Windows.