strange emial

[Sannyasi]

I recieved this in an email today and have absolutely no idea what it is- i've been getting spam emails alot since the mtgox ordeal a while back and haven't seen anything about this one so far. I googled ACH payment canceled real fast and found that it is most likely indeed some form of virus or similar. Apologize if this is in the wrong section or has already been mentioned- I just want to make sure everyone is safe, cheers!


email was as follows (even though i don't know what this is about i replaced all the numbers just in case i'm an ignorant fool):

ACH Payment Canceled

The ACH transaction (ID:numberhere),
recently initiated from your checking account (by you or any other person),
was canceled by the other financial institution.

 

Rejected transaction
Transaction ID: morenumbershere
Reason for rejection: See details in the attachment
Transaction Report: document.zip (self-extracting archive, Adobe PDF)

\240

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703)561-1100 2011 NACHA - The Electronic Payment Association

[1715105928]

1715105928

[1715105928]

1715105928

[1715105928]

1715105928

[jackjack]

If you want everyone to be safe you should have posted that in discussion & newbies boards

[sadpandatech]

I recieved this in an email today and have absolutely no idea what it is-




Transaction Report: document.zip (self-extracting archive, Adobe PDF)

\240

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703)561-1100 2011 NACHA - The Electronic Payment Association

There are 3 possible scenarios here;
 1. They are trying to drop you a virus in document.zip which apparently contains a .pdf file. DO NOT open it, upload it here http://www.virustotal.com/
          Let us know if it has any results or not.
 2. They are attempting to phish you, hoping that you will initiate contact with them so they can gather info from you.

 3. They are just using your email as input while attempting to place bogus tranfers.


 I did not look these guys up, 13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703)561-1100 2011 NACHA - The Electronic Payment Association
  Is this company at all familiar to you?


Also, if you can manage to copy the email header that would be helpful. If you are not sure how let us know what email client you are using, i.e hotmail, gmail, outlook or whichever  and I am sure someone can point you to where to do so.

[Sannyasi]

if a mod would move this to the noob section that'd be great- i didn't realize they couldn't see posts here- i'm no forum pro.

I beleive this is the header that was asked for  with my email removed, not %100 sure what a header is but i assume it's this- if anyone is interested in having a look at the file PM me and i'll forward the e-mail. Perhaps I'm being overly paranoid- better safe than sorry though. hope this helps

Schedule a Meeting

From: UAE Central <supportrtes@centralbank.ae>
To: myemail@myway.com
Return-Path: <supportrtes@centralbank.ae>
X-Original-To:myemail.myway@masc003.roc2.bluetie.com
Delivered-To: myemail.myway@masc003.roc2.bluetie.com
Received: from inbound003.roc2.bluetie.com (unknown [10.200.2.8]) by mas003.roc2.bluetie.com (Postfix) with ESMTP id B33F010CD075 for <myemail@masc003.roc2.bluetie.com>; Wed, 31 Aug 2011 15:46:29 -0400 (EDT)
Received: from pool-93-186-96-33.lanta-net.ru ([93.186.96.33]) by inbound003.roc2.bluetie.com with inbound001 id T7mU1h00s0jCY1Z017mUZc; Wed, 31 Aug 2011 15:46:29 -0400
X-CMAE-Score: 0.00
X-CMAE-Analysis: v=1.1 cv=/OAG6ivncHyDQhtYKy+uMp5tGu3fnpfdUGzAF/YX4Nw= c=1 sm=1 a=2BtRIdIk0OkA:10 a=Y3CxrP4YMlo7jfo4IHnYnQ==:17 a=VlWqGyb4PYomt9_oNK4A:9 a=QnhHPmsLeDztjY5JlywA:7 a=CjuIK1q_8ugA:10 a=9JUPQPevxEIA:10 a=Uoy84ACR93MA:10 a=F-2piUvhvnwkAIYb:21 a=c-KpWjM0OQMSt5ug:21 a=_aqOVTltBoMmSOoztskA:9 a=IKIoO-ieCDEA:10 a=cvgPKy6xeMPYWlyY_V4A:14 a=Y3CxrP4YMlo7jfo4IHnYnQ==:117
Received-SPF: spf=NONE ( centralbank.ae has no opinion concerning 93.186.96.33 as a permitted sender)
Received: (qmail 7565 by uid 774); Wed, 31 Aug 2011 11:43:57 +0300
Message-ID: <1c7001cc6837$d9cd4460$025618ac@microsof-161bfd>
Content-Type: multipart/mixed; boundary="--------=_NextPart_000_0005_01CC6838.3466A060"
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6700
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
X-BtMT: Wed, 31 Aug 2011 15:46:30 -0400 (EDT)

[sadpandatech]

if a mod would move this to the noob section that'd be great- i didn't realize they couldn't see posts here- i'm no forum pro.

I beleive this is the header that was asked for  with my email removed, not %100 sure what a header is but i assume it's this- if anyone is interested in having a look at the file PM me and i'll forward the e-mail. Perhaps I'm being overly paranoid- better safe than sorry though. hope this helps

Schedule a Meeting

From: UAE Central <supportrtes@centralbank.ae>
To: myemail@myway.com
Return-Path: <supportrtes@centralbank.ae>
Received: from pool-93-186-96-33.lanta-net.ru ([93.186.96.33]) by inbound003.roc2.bluetie.com with inbound001 id T7mU1h00s0jCY1Z017mUZc; Wed, 31 A

Thats your first clue, in that the true sender(pool-93-186-96-33.lanta-net.ru) is not the same as what is listed as being the sender(supportrtes@centralbank.ae).  A UAE bank using a Russian server http://www.projecthoneypot.org/ip_93.186.96.33  to send their mails out with. ;p


Did you upload that .zip file to Virustotal?


Oh, and go friggin setup a new email with which to do business with.  Keep this one for use for spam crap. Do not reuse any parts of your current one or passwords. Then after you get the transfer finished to the new email with G0x make sure to delete all your info out of the old one in case it is comprimsed, namely the email that g0x sends you.

[Sannyasi]

i believe this is where the file i uploaded is at using virus total- first time using. It's some sort of trojan (wallet stealer maybe?).

[sadpandatech]

i believe this is where the file i uploaded is at using virus total- first time using. It's some sort of trojan (wallet stealer maybe?).

After you upload it to Virustotal it will give you a report of the 40 something different scanners they hit it with and will list what if anything each of them found. If it says 0/40 and there are no virus names listed next to any of the scanners then it found nothing. That is not a 100% garuntee but it is pretty likely that if the file is infected it will peg it to something.

Again, do not open it or the pdf file contained inside just to be safe. ;p

[fcmatt]

it is just crap email with a zip file that contains a trojoan. simple as that. i get many a day in my spam folder and sometimes
one or two slip through.

delete delete delete.

[coinonymous]

I recieved this in an email today and have absolutely no idea what it is-




Transaction Report: document.zip (self-extracting archive, Adobe PDF)

\240

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703)561-1100 2011 NACHA - The Electronic Payment Association

There are 3 possible scenarios here;
 1. They are trying to drop you a virus in document.zip which apparently contains a .pdf file. DO NOT open it, upload it here http://www.virustotal.com/
          Let us know if it has any results or not.
 2. They are attempting to phish you, hoping that you will initiate contact with them so they can gather info from you.

 3. They are just using your email as input while attempting to place bogus tranfers.

Aren't you forgetting:

4.  It's completely legit?