Do not open files or links in Enel malspam/phishing emails

Also Known As: Ursnif trojan
Type: Trojan
Distribution: Low
Damage level: Severe

Enel email virus removal guide

What is Enel email virus?

Enel the name of an Italian manufacturer and distributor of electricity and gas. It is known that there are multiple variants of phishing and malspam emails that are currently circulating around pretending to be from the aforementioned company. Cybercriminals behind these emails attempt to trick recipients into providing sensitive information or installing malicious software called Ursnif.

Enel email virus malware-spreading email spam campaign

These email messages pretend to be notifications about an unfinished refund or unpaid bill. The purpose of these emails is to illegally steal personal data and data relating to credit and debit cards or to deliver malware (a banking trojan called Ursnif). It is known that there are at least two variants of malspam emails and one phishing email. In malspam emails, recipients are asked to check the attached document (supposedly an unfinished refund or unpaid bill). In both malspam variants, the attached file is a malicious Microsoft Excel document that, if opened and allowed to enable macros (Editing/Content), installs Ursnif on the operating system. The phishing email contains a website link designed to open a fake Enel website where users/visitors are asked to log in using their address and password. Screenshots of the emails (and text in them) are provided below.

The fake Enel website (login page) is used to steal login credentials. Typically, cybercriminals attempt to steal such information so they could hijack accounts and then use them for malicious purposes. Depending on the type of a stolen account, criminals could use it to steal identities, send malspam, phishing emails, make fraudulent transactions, purchases, trick other people into making monetary transactions, access personal files or other data, and so on. Also, stolen credentials could be monetized by selling it to third parties (other cybercriminals). The Ursnif Trojan is used with the purpose to collect various sensitive information. This trojan logs keystrokes (records keyboard input), gathers saved login credentials, web browsing activity, system information, cookies. Also, it can restart the operating system, capture screen/take screenshots, download and execute files. Basically, cybercriminals use this malware to steal sensitive information and distribute (install) other malicious software (e.g., ransomware, cryptocurrency miners).

Threat Summary:
Name Ursnif trojan
Threat Type Trojan, password-stealing virus, banking malware, spyware.
Hoax Letter from Enel regarding unfinished refund and unpaid bill
Attachment(s) Malicious MS Excel document
Detection Names (Ursnif in first phishing email) Avast (Other:Malware-gen [Trj]), BitDefender (Trojan.Agent.FAPD), ESET-NOD32 (VBA/TrojanDownloader.Agent.VEK), Kaspersky (HEUR:Trojan.MSOffice.Agent.gen), Microsoft (TrojanDownloader:O97M/Dridex!MTB), Full List Of Detections (VirusTotal)
Detection Names (Ursnif in first phishing email) ALYac (Trojan.Downloader.XLS.Gen), BitDefender (Trojan.GenericKD.45560735), ESET-NOD32 (VBA/TrojanDownloader.Agent.VJD), Kaspersky (HEUR:Trojan.Script.Generic), Microsoft (TrojanDownloader:O97M/Obfuse.VIS!MTB), Full List Of Detections (VirusTotal)
Symptoms Trojans are designed to stealthily infiltrate the victim's computer and remain silent, and thus no particular symptoms are clearly visible on an infected machine.
Payload Ursnif
Distribution methods Infected email attachments, malicious online advertisements, social engineering, software 'cracks'.
Damage Stolen passwords and banking information, identity theft, the victim's computer added to a botnet.
Malware Removal (Windows)

To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Malwarebytes.
▼ Download Malwarebytes
To use full-featured product, you have to purchase a license for Malwarebytes. 14 days free trial available.

More examples of both phishing and malspam campaigns are "Email Disabling Service Email Scam", "Credito Agricola Email Scam", "METZA Email Virus" and "Cobra Industrial Machines Email Virus". In most cases, recipients who fall for phishing, malspam emails infect their computers with malware, suffer monetary loss, lose access to personal accounts, get their identities stolen or encounter other serious issues. Therefore, it is strongly recommended to analyze suspicious emails (do research) before opening links of files in them. It is important to mention that in most cases, phishing and malspam letters pretend to be from legitimate companies, organizations, or other entities.

How did "Enel email virus" infect my computer?

Malicious Microsoft Excel documents in these malspam emails install Ursnif after being opened and allowed to enable malicious macros (Editing/Content). It is important to mention that malicious documents ask to enable macros commands only when they are opened with Microsoft Office 2010 or a newer version. If opened with older versions, they install malware right after they are opened. The reason why malicious documents opened with newer MS Office versions do not install malware automatically is because those versions include the "Protected View" mode, which prevents suspicious documents from causing any harm to the operating system. More examples of files that cybercriminals use in their malspam campaigns are PDF documents, MS Word documents, archive files like ZIP, RAR, executable files like .exe, .run, JavaScript files.

How to avoid installation of malware?

Files, links in irrelevant emails sent from unknown, suspicious addresses should not be opened: very often, emails of this kind are used as channels to deliver malicious software. Programs and files should be downloaded from official, trustworthy pages and via direct download links. It is not safe to use other sources for downloading software, for example, Peer-to-Peer networks (e.g., torrent clients, eMule), freeware download websites, free file hosting websites, third party downloaders, unofficial websites. Installed software has to be updated or activated properly: it should be done using implemented functions or tools that are provided by the official developers. It is important to mention that it is not legal to use third party ('cracking') tools for licensed software activation. Additionally, it is advisable to scan the operating system for threats regularly. Such scans should be run using reputable anti-virus or anti-spyware software. If you've already opened "Enel email virus" attachment, we recommend running a scan with Malwarebytes for Windows to automatically eliminate infiltrated malware.

Text presented in the first malspam email:

Subject: Rimborso Riferimento PR47659U21Y1147

Enel Energia –  Mercato libero dell'energia

Gentile Cliente,
Si tratta di un ultimo sollecito, si dispone di un rimborso incompiuto..
PIl rimborso delle 522,54€ è ancora valido fino 17/12/2020. É necessario compilare il modulo,
e ci dà due giorni lavorativi per elaborare la vostra richiesta.
Cordiali saluti, Enel Energia o 2020
Enel Energia rispetta l’ambiente utilizzando solo energia prodotta da fonti rinnovabili come acqua, sole, vento e calore della Terra, certificata dal Sistema di “Garanzie di Origine” del Gestore Servizi Energetici, in base alla Direttiva CE 2009/28/CE.

Screenshot of the malicious document attached to this email:

enel email virus attachment in first malspam email

Screenshot of the second malspam email:

enel email virus second malspam email

Text in this email:

Subject: EnelEnergia - Emissione Bolletta PEC

Enel Energia  Mercato libero dell'energia
Gentile Cliente,

In allegato trovi i documenti relativi
alle tue forniture:


  1.  Numero Cliente    Numero Documento    Importo    Scadenza
    ELETTRICO    968868831    004760232400    399,50    19/01/2021

Per un importo Totale di 399,50 euro.

Registrati all'Area Clienti di, potrai così:

•    gestire comodamente online la tua fornitura;
•    consultare e gestire online le tue bollette;

Salva e archivia Bolletta Web sul tuo pc e stampala ai fini
di un controllo fiscale. Ulteriori informazioni sul sito

Enel Energia per il mercato libero.Seguici su FACEBOOK INSTAGRAM

Malicious document attached to this email:

enel email virus second malspam email attachment

Screenshot of the phishing email:

enel email virus phishing email

Text in this email:

Subject: Rimborso Riferimento PR21188U14Y5292.

Gentile Cliente,
Si tratta di un ultimo sollecito, si dispone di un rimborso incompiuto..
Pll rimborso delle 89,56€ è ancora valido fino 10/02/2021. É necessario compilare il modulo,
e ci dà due giorni lavorativi per elaborare la vostra richiesta.
Area Clienti
Cordiali saluti, Enel Energia o 2020

Deceptvie Enel website used to steal credentials:

enel email virus third email phishing website

Instant automatic malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Malwarebytes is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
▼ DOWNLOAD Malwarebytes By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Malwarebytes. 14 days free trial available.

Quick menu:

How to remove malware manually?

Manual malware removal is a complicated task - usually it is best to allow antivirus or anti-malware programs to do this automatically. To remove this malware we recommend using Malwarebytes for Windows. If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here is an example of a suspicious program running on a user's computer:

malicious process running on user's computer sample

If you checked the list of programs running on your computer, for example, using task manager, and identified a program that looks suspicious, you should continue with these steps:

manual malware removal step 1Download a program called Autoruns. This program shows auto-start applications, Registry, and file system locations:

screenshot of autoruns application

manual malware removal step 2Restart your computer into Safe Mode:

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

windows 10 safe mode with networking

Video showing how to start Windows 10 in "Safe Mode with Networking":


manual malware removal step 3Extract the downloaded archive and run the Autoruns.exe file.

extract and run autoruns.exe

manual malware removal step 4In the Autoruns application, click "Options" at the top and uncheck "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure, click the "Refresh" icon.

Click 'Options' at the top and uncheck 'Hide Empty Locations' and 'Hide Windows Entries' options

manual malware removal step 5Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.

You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose "Delete".

locate the malware file you want to remove

After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.

searching for malware file on your computer

Reboot your computer in normal mode. Following these steps should remove any malware from your computer. Note that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware removal to antivirus and anti-malware programs. These steps might not work with advanced malware infections. As always it is best to prevent infection than try to remove malware later. To keep your computer safe, install the latest operating system updates and use antivirus software.

To be sure your computer is free of malware infections, we recommend scanning it with Malwarebytes for Windows.

Click to post a comment

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

QR Code
Ursnif trojan QR code
A QR code (Quick Response Code) is a machine-readable code which stores URLs and other information. This code can be read using a camera on a smartphone or a tablet. Scan this QR code to have an easy access removal guide of Ursnif trojan on your mobile device.
We Recommend:

Get rid of Windows malware infections today:

Download Malwarebytes

Platform: Windows

Editors' Rating for Malwarebytes:
Editors ratingOutstanding!

[Back to Top]

To use full-featured product, you have to purchase a license for Malwarebytes. 14 days free trial available.