"CitiBank Email Virus" removal guide
What is "CitiBank Email Virus"?
There are numerous spam campaigns online, including "CitiBank Email Virus". They are commonly used to spread other viruses, in this case, the Emotet virus. Scammers/cyber criminals behind the "CitiBank Email Virus" use an email that contains a link leading to download of a malicious .doc file. Cyber criminals send this email to many people, hoping that a percentage of them will click the link and open the malicious document, which then goes on to infect computers with Emotet.
The "CitiBank Email Virus" spam campaign is used by cyber criminals who claim to be representatives of Citibank. These criminals often use well-known company names to trick more people into clicking links, opening attachments, or taking other actions that lead to computer infections. Note that Citibank has nothing to do with this scam. The email gives the impression that Citibank has resolved a dispute and that you will see credit in your account within the next two business days. It also indicates that you can check the transaction details by clicking the "Download Your transaction details" link. This is the link that we mentioned in our introduction. Once clicked, this link will download a Word (.doc) file that, according to cyber criminals, contains some transaction details. Opening this document gives permission for the Emotet virus to be installed. This virus is categorized as high-risk malware that steals personal information (such as logins, passwords, browsing-related data, and so on). Having your computer infected with this virus might lead to other infections (such as ransomware-type virus infections) and privacy issues, financial loss, and so on. If you have already opened "CitiBank Email Virus" attachments, immediately scan the system with a reputable anti-virus/anti-spyware suite and eliminate all detected threats.
|Name||CitiBank dispute virus|
|Threat Type||Trojan, Password stealing virus, Banking malware, Spyware|
|Symptoms||Trojans are designed to stealthily infiltrate victim's computer and remain silent thus no particular symptoms are clearly visible on an infected machine.|
|Distribution methods||Infected email attachments, malicious online advertisements, social engineering, software cracks.|
|Damage||Stolen banking information, passwords, identity theft, victim's computer added to a botnet.|
|Malware Removal (Windows)||
To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Malwarebytes.
Spam campaigns like "CitiBank Email Virus" can spread various viruses. Some examples of other possible infections are FormBook, Adwind, TrickBot, and AZORult. All cause privacy/financial issues and other serious problems. We strongly recommend that you eliminate these viruses immediately.
How did "CitiBank Email Virus" infect my computer?
As mentioned in our introduction, many spam campaigns are similar to "CitiBank Email Virus" including, for example, "IRS Online Email Virus", "Pricewaterhouse Coopers", "Ernst & Young", and "BMO account report". Frequently, spam email campaigns of this type proliferate viruses through malicious attachments. In this case, cyber criminals present a link that downloads a .doc (Microsoft Word) document. If opened, this attachment asks for permission to enable macros commands. These commands, if enabled, allow malicious Word attachment to download/install the Emotet virus. Note, however, that this attachment targets only Microsoft Windows users. Therefore, if the document (.doc) is opened using a program other than a Microsoft Word product, it will not be able to download and install viruses.
How to avoid installation of malware?
To avoid high-risk virus infections, browse the web and open emails (especially email attachments) with caution. If you have received an email from an unknown/suspicious email address, carefully inspect the email. If it seems irrelevant, do not open the attachment or click any provided link. Have reputable anti-virus and anti-spyware software installed. These programs can prevent viruses from being downloaded and installed. If you have already opened a "CitiBank Email Virus" attachment, we recommend running a scan with Malwarebytes for Windows to automatically eliminate infiltrated malware.
Text presented in the "CitiBank Email Virus" email message:
American Airlines AAdvantage
Account ending in 3691
We've resolved your dispute
We're pleased to let you know that your dispute has been resolved - you'll see the credit in the next two business days - it'll be listed with your account activity on your statement. This credit is permanent.
We included the below transaction details for the dispute on account ending in 3691 for your reference.
Download your transaction details.
Your Citi Team
Malicious attachment distributed via "CitiBank Email Virus" spam campaign:
Another variant of CitiBank email spam campaign now distributing Remcos RAT:
Text presented within this email:
Subject: ACH Payment Notice - Ref:19309
Attachment: Transaction Notice.zip
Attention : Accounts Receivable Dept
Out going payment initiated on : 30 Sept 19 . Please find attached file and peruse through it.
Attached payment advice is issued at the request of our customer and is for your reference only. If you are not the right contact for this notice, please forward to your accounts receivable department.
Note: The attached file is password protected to prevent unauthorized access in transit. file password ; 19309
Text presented within this email:
Subject: Payment advice-BG_EDG95320200205005000471_126_953 COVID-19 Be Safe and Safe Strong.
For the attention of:
Please be advised that the following payment will be made to you on behalf of our client.
Transaction Reference: 3149364780
Payer/Remitter's Reference No: 11260002178319
Beneficiary Details: 49***********1 /
Payment method: Fund Transfer
Payment Amount: 47,054.40
Processing Date: 08-April-2020
Payment Details: 11260002178319
Kindly contact your remitter directly for any queries on the payment advice.
Note. The contents of this advice is confidential and may be legally privileged. This advice is issued at the request of the bank's client and purports to set out certain details of the transaction our bank was instructed to effect. This is not a confirmation. The bank bears no liability for any direct, indirect or consequential loss arising out of this advice being sent by email by the bank or other third parties. If you are not an intended recipient, you are hereby notified that any dissemination, distribution or copying of this advice is strictly prohibited. If you have received this advice in error, please the sender and permanently delete this advice immediately. You should not retain, copy or use this advice for any purpose, nor disclose all or any part of the contents to any other person.
Screenshot of a malicious CitiBank-themed Excel document which injects Remcos RAT into the system:
Instant automatic malware removal:
Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Malwarebytes is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
- What is "CitiBank Email Virus"?
- STEP 1. Manual removal of Emotet malware.
- STEP 2. Check if your computer is clean.
How to remove malware manually?
Manual malware removal is a complicated task - usually it is best to allow antivirus or anti-malware programs to do this automatically. To remove this malware we recommend using Malwarebytes for Windows. If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here is an example of a suspicious program running on a user's computer:
If you checked the list of programs running on your computer, for example using task manager, and identified a program that looks suspicious, you should continue with these steps:
Download a program called Autoruns. This program shows auto-start applications, Registry, and file system locations:
Restart your computer into Safe Mode:
Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.
Video showing how to start Windows 7 in "Safe Mode with Networking":
Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.
Video showing how to start Windows 8 in "Safe Mode with Networking":
Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.
Video showing how to start Windows 10 in "Safe Mode with Networking":
Extract the downloaded archive and run the Autoruns.exe file.
In the Autoruns application click "Options" at the top and uncheck "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure, click the "Refresh" icon.
Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.
You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose "Delete".
After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.
Reboot your computer in normal mode. Following these steps should remove any malware from your computer. Note that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware removal to antivirus and anti-malware programs. These steps might not work with advanced malware infections. As always it is best to prevent infection than try to remove malware later. To keep your computer safe, install the latest operating system updates and use antivirus software.
To be sure your computer is free of malware infections, we recommend scanning it with Malwarebytes for Windows.