"Amazon Email Virus" removal guide
What is "Amazon Email Virus"?
"Amazon Email Virus" is a spam email campaign (very similar to Standard Chartered bank Email Virus, TNT Email Virus, Thanksgiving Email Virus, and many more) that is used by cyber criminals (scammers) to trick people into opening malicious attachments through a presented link. This attachment infects computers with the Emotet virus, which is designed to steal personal data and proliferate other computer infections.
Scammers behind the "Amazon Email Virus" claim to be representatives from Amazon. They send this spam email to many users and present it as a Black Friday coupon worth $500. They offer $500 to be transferred directly to recipients' Amazon accounts. To take advantage of this deal, people are encouraged to click the "Get Your BLACK FRIDAY coupon." link. This results in download of a malicious Microsoft Office Word document. Once downloaded and opened, it asks for permission to enable macros commands. If enabled, these commands allow the Emotet computer infection to be downloaded. Emotet is high-risk virus designed to collect sensitive information including, for example, logins/passwords, browsing activity, and so on. Furthermore, the collected data might include banking information. Thus, having a virus such as Emotet installed might lead to serious privacy issues or even significant financial loss. Furthermore, this virus proliferates other infections, since it opens "backdoors" for other high-risk viruses that infiltrate and infect the operating system. We recommend that you ignore the "Amazon Email Virus" spam campaign and simply delete the received email.
|Name||Amazon black Friday deals virus|
|Threat Type||Trojan, Password stealing virus, Banking malware, Spyware|
|Symptoms||Trojans are designed to stealthily infiltrate victim's computer and remain silent thus no particular symptoms are clearly visible on an infected machine.|
|Distribution methods||Infected email attachments, malicious online advertisements, social engineering, software cracks.|
|Damage||Stolen banking information, passwords, identity theft, victim's computer added to a botnet.|
To eliminate malware infections our security researchers recommend scanning your computer with Spyhunter.
Spam email campaigns are used to proliferate various different viruses. Other examples of possible infections are FormBook, Adwind, TrickBot, and AZORult. Most of these viruses are designed to gather personal/sensitive data and use it to generate revenue. Some proliferate other infections (cause chain infections) including, for example, ransomware.
How did "Amazon Email Virus" infect my computer?
Spam campaigns such as "Amazon Email Virus" are used to infect systems via attachments. In this case, a website link is presented that leads to download of a malicious Microsoft Office Word attachment. Once downloaded and opened, this document will first demand permission to enable macros commands. Enabling macro commands results in download and installation of the aforementioned Emotet virus. In other cases, the malicious attachment is an archive file that must be extracted, or an executable file that must be executed, and so on.
How to avoid installation of malware?
To avoid infections proliferated through spam campaigns, handle emails that contain web links or attachments with care. If the email was sent from a suspicious or unknown address, or the email seem irrelevant, do not open the presented link or attachment. To avoid computer infection by viruses, have a reputable anti-spyware/anti-virus suite installed. These tools can prevent viruses from doing any damage. If you have already opened an "Amazon Email Virus" attachment, we recommend running a scan with Spyhunter for Windows to automatically eliminate infiltrated malware.
Text presented in the "Amazon Email Virus" email message:
Your Amazon Today's Deals All Departments
Black Friday deals
Shop deals in every department
As a thank you for being an Amazon customer, we have placed a $500 Amazon credit for you. We will automatically apply the balance of your credit to any purchase in the Amazon only on BLACK FRIDAY 2018!
Save up to 50%
Promotional credit expires on November 23, 2018.
Get your BLACK FRIDAY coupon.
© 2018 Amazon.com, Inc. or its affiliates. All rights reserved. Amazon Amazon.com the Amazon.com logo and 1-Click are registered trademarks of Amazon.com, Inc. or its affiliates. Amazon.com 410 Terry Avenue M., Seattle, WA 98109-5210
Malicious attachment distributed via "Amazon Email Virus" spam campaign:
Another variant of "Amazon Email Virus" spam campaign (also distributes Emotet):
Text presented within this email:
Subject: Your Amazon Cyber Monday coupon
As a thank you for being an Amazon customer, we have placed a £500 Amazon credit for you. We will automatically apply the balance of your credit to any purchase in the Amazon only on CYBER MONDAY SALE
Malicious document attached to this email:
Another variant of "Amazon Email Virus" campaign's email (also distributes Emotet):
Text presented within this email:
Thank you for shopping with us. We confirmation that your item has shipped. Your order details are available on link below. The payment details of your transaction can be found on the order invoice.
Your estimated delivery date is:
Tuesday, December 18, 2018 - Thursday, December 20, 2018
Your shipping speed:
Item Subtotal: $11.13
Shipping & Handling: $2.87
Total Before Tax: $14:00
Estimated Tax: $1.26
Order Total: $15.26
To learn more about ordering, go to Ordering from Amazon.com.
If you want more information or need more assistance, go to Help
Thank you for shopping with us.
The payment for your invoice is processed by Amazon Payments, Inc. P.O. Box 81226 Seattle, Washington 98108-1226. If you need more information, please contact (866) 210-9082
Screenshot of Emotet's process ("sedlauncher") in Windows Task Manager:
Another variant of Amazon email spam campaign which is now used for phishing purposes (the "Verify Now" link leads to a fake Amazon website which collects various credentials):
Text presented within this email:
Your Amazon account has been locked
We detected that your account has tried to login another location. An unauthorized person may have accessed your account.
Date and Time: 16/01/2020 21:33:12 (GMT)
Browser: Google Chrome
IP : -
Therefore, security and integrity issues in Amazon's protection will cause your account to be automatically temporarily locked for security purposes. To protect your data, we have:
- The password of your account is deactivated.
- Undone changes made by this person.
- All open orders canceled. You can ignore any confirmation emails received for these orders.
- If purchases have been made, they will be refunded for your payment method.
To unlock it and continue using your Amazon account, we need you to verify your identity.
Click the button link below "Verify Now" and continue with the verification steps that will be followed by the terms and conditions.
Why you received this email
Amazon requires verification whenever an email address is selected as an Amazon account. Your Amazon account cannot be used until you verify it.
If you did not verify your identity within 24 hours to provide evidence on our services that it is your account. Otherwise, your Amazon account will be permanently locked.
Thanks again for your visit Amazon
This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.
Instant automatic malware removal:
Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Spyhunter is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
- What is "Amazon Email Virus"?
- STEP 1. Manual removal of Emotet malware.
- STEP 2. Check if your computer is clean.
How to remove malware manually?
Manual malware removal is a complicated task - usually it is best to allow antivirus or anti-malware programs to do this automatically. To remove this malware we recommend using Spyhunter for Windows. If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here is an example of a suspicious program running on a user's computer:
If you checked the list of programs running on your computer, for example using task manager, and identified a program that looks suspicious, you should continue with these steps:
Download a program called Autoruns. This program shows auto-start applications, Registry, and file system locations:
Restart your computer into Safe Mode:
Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.
Video showing how to start Windows 7 in "Safe Mode with Networking":
Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.
Video showing how to start Windows 8 in "Safe Mode with Networking":
Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.
Video showing how to start Windows 10 in "Safe Mode with Networking":
Extract the downloaded archive and run the Autoruns.exe file.
In the Autoruns application, click "Options" at the top and uncheck the "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure, click the "Refresh" icon.
Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.
You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose "Delete".
After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.
Reboot your computer in normal mode. Following these steps should remove any malware from your computer. Note that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware removal to antivirus and anti-malware programs. These steps might not work with advanced malware infections. As always it is best to prevent infection than try to remove malware later. To keep your computer safe, install the latest operating system updates and use antivirus software.
To be sure your computer is free of malware infections, we recommend scanning it with Spyhunter for Windows.