Severity scale:  

Remove Christmas virus (Removal Guide) - Free Instructions

removal by Olivia Morelli - - | Type: Viruses

Christmas virus is a set of cyber infections that are related to festive period

Christmas virusChristmas Virus - a term used to describe cyber infections and scams that are related to festive season.

Christmas virus is a term used to describe multiple different cyber threats that are related to Christmas. Therefore, the array of infections can vary, including worms, ransomware, trojans, as well as social engineering[1] attacks via emails and social networks. The variety of viruses have a different goal, but, nevertheless, most of them are malicious and should be avoided at all costs. The majority of Christmas viruses are spread with the help of spam emails, although other propagation methods, like fake updates, can be used as well. In this article, we will go through most common Christmas-themed malware and ways to avoid it.

Name Christmas virus
Type Malware
Sub-types Ransomware, worm, trojan, scam, etc.
Infiltration Spam emails, although can use brute-force attacks, fake updates, malicious executables, etc.
Symptoms Vary, depending on the infection
Elimination Use anti-malware software like Reimage Reimage Cleaner Intego or SpyHunter 5Combo Cleaner

Because the term describes multiple different infections, there are different ways of dealing with it. However, the best way to remove Christmas virus is by employing reputable security software that can detect and clean the system from malicious software. We highly recommend using Reimage Reimage Cleaner Intego or SpyHunter 5Combo Cleaner for the job, although any other powerful anti-malware tool should do the job.

Some infections, such as ransomware, leave the devastation behind, even after victims remove Christmas virus. Ransomware locks up personal data and demands a ransom to be paid for its release. Thus, file recovery needs to be performed in order to get access to the encoded data.

Below are some of the examples of Christmas virus, and we hope that you will be able to protect your privacy and online security this Christmas with the help of this article!

Christmas-themed malware examples

Christmas Tree EXEC

The very first holiday season malware appeared back in 1987 when a German student who initially claimed that he only wanted to wish Season's Greetings to friends. The worm, written in Rexx language,[2] used to be sent to an inbox with the subject line “Let this exec run and enjoy yourself!”, and, once the victim typed CHRISTMAS as instructed, the virus sent drew a Christmas Tree as text graphics, and sent out its copies to everybody in the target's contact's file. Ultimately, the Christmas Tree EXEC worm managed to paralyze international networks, and some 350,000 machines were shut down by IBM.

WM97/Melissa-AG or Prilissa

Prilissa is one of the old Christmas viruses, that was first detected back in 1999. It is as well propagated with the help of spam emails with the subject line “Message from [username].” The malicious DOC file, once executed, infects the machine with malware that would trigger on 25th of December.

Prilissa opens pop-up windows, inserts randomly colored squares into the opened MS Word document, and attempts to wipe out the C: drive upon next reboot.

The Maldal virus

The Maldal virus was injected into victims' machines once they opened a Christmas.exe file. The phishing email came with “Happy New Year” subject line and seemed like a Season's Greetings electronic card, which most people fell for.

Once executed, the malware opened a window that displayed a Santa Claus with a reindeer, sliding on his skis with a message at the bottom:

From the heart, Happy new year!

Koobface worm

Koobface malware was targeting users of social networks like Facebook, Skype, Twitter, and redirected victims to a spoofed Santa-themed web page. Soon after the infiltration, it starts its malicious activity – it is capable of stealing login information of various accounts, as well as banking information, which can result in money loss for victims.

Additionally, Koobface forms a peer-to-peer botnet[3] that propagates the malware even further.

MerryChristmas ransomware

Christmas virus MerryChristmas ransomware

MerryChristmas ransomware is a file locking virus, as well as data stealing malware[4] that first appeared in January 2017. While it is strange that malware with such name appeared in January, it is believed that it is of Orthodox origin, as Christmas is celebrated on 7th of January.

The virus was distributed with the help of spam campaign – one came from the alleged Federal Trade Commission, while the other one pretended to be a notice from the court. The email embedded a hyperlink that downloaded a zip file disguised as a PDF document.

As soon as the machine gets infected, all personal videos, music, pictures and similar files are encoded, and an appendix is added. Additionally, users can view a ransom note that shows Santa Claus from Futurama and displays a timer. Allegedly, after it expires and no payment in Bitcoin will be transferred, all the data on the machine will be erased. Nevertheless, users should not pay the ransom and instead use official decryptor that is available to download on our main article page.

Stay away from Christmas gift and similar scams

Low profile cyber criminals and people who want an easy profit often rely on scams. The following are most prominent Christmas virus scams that should not be overlooked this Christmas.

Christmas Day Bonus Gift email virus

Christmas Day Bonus Gift email virus is a spam email campaign that aims to distribute a data-stealing trojan Ursnif.

Users receive an email into their inboxes that claims that they are entitled to a Christmas bonus. In order to claim it, they are meant to click on a provided link. As soon as they click on the link, they are led to a Google doc, which is an executable file. Once executed, it will install Ursnif trojan that can record keystrokes, system information, and other sensitive data.

The Secret Sister Gift Exchange scam

This Christmas scam has been active since 2015,[5] and it seems like it is not going away three years later. The hoax is prevalent on social media platforms like Facebook or Twitter. It operates a “pyramid scheme.” It promises that you will be able to receive 36 gifts in exchange for just one. While it sounds too good to be true, it really is.

In reality, it is merely a scam that asks victims to send $10 via the spoofed website. Do not participate in The Secret Sister Gift exchange scam, and rather buy presents who you actually care about this festive season.

Christmas virus scam Secret SisterSecret Sister exchange scam has been around since 2015, and it seems to be back every year

Amazon scams

Amazon scams, such as Amazon Gift Card, Amazon Membership Rewards, Congratulations Amazon User and many others, are designed to trick people into either providing sensitive information that can be used for marketing purposes, or installing bogus software, subscribing for useless services, and such. Ultimately, users end up wasting money and simply being scammed by cyber crooks.

The most recent Amazon scam which you might encounter while shopping for presents is masked as an email coming from the industry giant itself. Allegedly, users are informed that a Prime membership was purchased, and, in order to cancel it, they have to log in using their Amazon account credentials. As evident, bad actors' goal is to get access to the official account.

Extortion scams

Extortion scams have been extremely prevalent since mid-2018, and the number of users reporting these incidents increased drastically. Initially, sextortion scams were employed for blackmail. The crooks claim that they injected malware into the targeted computer, which allowed them to record users via the camera while they were watching porn online.

Crooks typically use information that was obtained from previous data breaches (such as email address and password) to make the hoax email more believable. Malicious actors ask users to pay a certain amount of Bitcoin, or else the recorded shameful videos would be sent to victims' friends and family.

The most recent scam evolves bomb threats and asks users to pay as much as $20,000 in order to save hundreds of people from bomb's detonation.[6]

Christmas virus distribution methods

As evident, the main culprit in Christmas virus distribution is the fake emails. Users are sometimes redirected to a malicious website via a hyperlink or click on an attachment that holds macro scripts. We suggest you follow these simple tips if you want to avoid being tricked by a phishing email:

  • Do not jump into the email contents straight away. First, example the email address of the sender, as well as the subject line. These two simple checks might straight away disclose the deception. For example, an email from might be easily interpreted as an original one.
  • The contents of the email might look very legit, with correct logos and formatting. However, make sure you carefully read through it and make some conclusions. You can ask yourself these questions: “why did this company send me an email? was I expecting it?.” In some cases, you will answer yes, but then you should proceed with the more advanced examination.
  • Phishing emails usually contain a link or n attachment that might be disguised as a .pdf, .doc, .txt, .html, and other documents. Before opening them, make sure you scan them using reputable security software.
  • When it comes clicking on hyperlinks, hover your mouse over it and see where it is actually bringing you.
  • Call the company that is trying to contact you or go to the official website, and use the email address provided there.

All in all, experts advise users to be vigilant, and always go by the rule “If it is too good to be true, it probably is.”

Christmas virus eliminationChristmas virus is a set of cyber infections and scams that try to abuse the good mood people have during Christmas and gain money

Get rid of Christmas virus and protect yourself from cyber infections in the future

In most cases, scamming attempts can be noticed straight away, as fake messages are usually littered with grammar and spelling mistakes, or terrible formatting. However, some hoax messages sent via Facebook or other platforms might seem legitimate, and some people might fall for the trick. To avoid such consequences, we suggest you search online for the information. Simply copy the first line of the email or message and search for it. There will be plenty of blogs, forums posts, articles, and similar data regarding the threat.

Do not forget that scam messages often trick users into installing viruses. In such a case, Christmas virus removal must be performed. However, because Christmas malware can be related to so many different threats, it's elimination instructions can differ. Nevertheless, the most optimal solution would be scanning your machine with security software like Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner, or Malwarebytes. The scans will find any malicious files embedded into the system and safely eliminate them.

In some cases, you can remove the Christmas virus manually. In case you installed bloatware[7] like Power System Care, MyShopcoupon, Safe PC Cleaner, and similar, you can get rid of all the files manually via the Control Panel (Windows) or Applications folder (macOS). Additionally, you might have to reset each of the affected browsers, such as Google Chrome, Internet Explorer, Mozilla Firefox, Safari, Opera, or others.

Nevertheless, if you are dealing with a severe Christmas virus infection, you should enter Safe Mode with Networking in case malware is interfering with AV engine's operation. Follow the instructions below.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove Christmas virus, follow these steps:

Remove Christmas using Safe Mode with Networking

To remove Christmas virus from your machine safely, enter Safe Mode with Networking on your Windows device:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Christmas

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Christmas removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Christmas using System Restore

System Restore is also a very useful feature that might get rid of the Christmas virus:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Christmas. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that Christmas removal is performed successfully.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Christmas and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Backup files for the later use, in case of the malware attack

Computer users can suffer various losses due to cyber infections or their own faulty doings. Software issues created by malware or direct data loss due to encryption can lead to problems with your device or permanent damage. When you have proper up-to-date backups, you can easily recover after such an incident and get back to work.

It is crucial to create updates to your backups after any changes on the device, so you can get back to the point you were working on when malware changes anything or issues with the device causes data or performance corruption. Rely on such behavior and make file backup your daily or weekly habit.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware occurs out of nowhere. Use Data Recovery Pro for the system restoring purpose.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions


Your opinion regarding Christmas virus