Os doy mas detalles, la cabecera del correo es:
Delivered-To:
hector.cadelo@varmetric.co.ukReceived: by 10.216.209.198 with SMTP id s48csp795534weo;
Sat, 14 Jun 2014 03:08:57 -0700 (PDT)
X-Received: by 10.66.248.228 with SMTP id yp4mr9875568pac.94.1402740536291;
Sat, 14 Jun 2014 03:08:56 -0700 (PDT)
Return-Path: <
nobody@host.ozanimart.com>
Received: from host.ozanimart.com ([122.201.94.179])
by mx.google.com with ESMTPS id nx10si4845019pbb.197.2014.06.14.03.08.55
for <
hector.cadelo@varmetric.co.uk>
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Sat, 14 Jun 2014 03:08:56 -0700 (PDT)
Received-SPF: none (google.com:
nobody@host.ozanimart.com does not designate permitted sender hosts) client-ip=122.201.94.179;
Authentication-Results: mx.google.com;
spf=neutral (google.com:
nobody@host.ozanimart.com does not designate permitted sender hosts) smtp.mail=nobody@host.ozanimart.com
Received: from nobody by host.ozanimart.com with local (Exim 4.77)
(envelope-from <
nobody@host.ozanimart.com>)
id 1Wvktt-0008LS-5m
for hector.cadelo@varmetric.co.uk; Sat, 14 Jun 2014 20:09:29 +1000
Date: Sat, 14 Jun 2014 20:09:29 +1000
To:
hector.cadelo@varmetric.co.ukFrom: noreplay <
support.corp@mail.bitsupport.com>
Subject: welcome to wallet
Message-ID: <
514d8557afe2d1e09ca28de901ce784a@www.vanguardsingle.com.au>
X-Priority: 3
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="us-ascii"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - host.ozanimart.com
X-AntiAbuse: Original Domain - varmetric.co.uk
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - host.ozanimart.com
http://www.Bitpays.com/wallet-downloads-rFinieshed.seam=?id=3Ddf5472208ef597f4f5762r81c34a4e7886a7bab5588752dbdewe908=
e11fe605700c8592ad5302
Que en realidad va a:
http://www.steddblue.com/index.php Domain Name: STEDDBLUE.COM
Hace una redirección a
www.masted.org/download/index.php que es donde ya descarga un archivo llamado BitPay-wallet-4ae23cea-062b-4609-8232-496b85fc5177.rar desde ese servidor.
Intuyo que estos servidores han sido atacados previamente y puestos ahí el invento.
Dentro de este archivo.rar hay un archivo .jar que ejecuta java y descarga de internet los siguientes archivos:
JNativeHook_9150172923394402403.dll
temporalito4067113274008559351okey.jar
temporalito4591708588922498270Explorer.exe
OJO, no abráis el .jad que os la lia!