Email link to active threat - "Import Message" in subject

Trethbos · February 7, 2013, 9:15pm

Hi All,

I received an email which fortunately I did not have time to open and read. It was timely in that I was expecting a document from the person. BUT everyone who received the email and followed the link had their email contacts deleted and most of their contacts received the same email from them....

I received a second email from another person shortly after they had open the original email with the same results.

I'm not sure what other damage was done (possibly some Facebook problems), but no AV or Spam filter etc., detected the problem.

Most of those that were not expecting a document fortunately did not try the link (simply clicking the link causes the problem), however those waiting for the 'minutes of the meeting' fell victim.

I contacted Norton online chat and they suggested posting the emai here as a warning and also advice and discussion. I have tried to remove the senders and my own email ID, but otherwise the text is intact. (I want to delet both emails ASAP, but saving in case wanted by Norton support).

From my OE properties for the email I have:

Envelope-to: #######@######.plus.com
Delivery-date: Wed, 30 Jan 2013 13:00:47 +0000
a=PLmm6w-6prgA:10 a=7iGtFnJ6Z08A:10 a=zzxzp6Hi2ogA:10 a=Y1b8bm_hOb0A:10
a=BrDiTsk0AAAA:8 a=CjxXgO3LAAAA:8 a=dnSwayA-ywAA:10 a=inZ3FAaGFssnqmqCnawA:9
a=wPNLvfGTeEIA:10 a=NcHqk9j-AAAA:8 a=gsg6zVp6O6jfCEobWkIA:9 a=_W_S_7VecoQA:10
a=-quq4kdlCHjtyVoJ:21 a=XycoWaI3ngXo+/RwspEoXg==:117
Received: from [212.82.105.245] by nm12.bullet.mail.ird.yahoo.com with NNFMP; 30 Jan 2013 13:00:45 -0000
Received: from [212.82.108.121] by tm17.bullet.mail.ird.yahoo.com with NNFMP; 30 Jan 2013 13:00:45 -0000
Received: from [127.0.0.1] by omp1030.mail.ird.yahoo.com with NNFMP; 30 Jan 2013 13:00:45 -0000
X-Yahoo-Newman-Property: ymail-5
X-Yahoo-Newman-Id: 401612.84882.bm@omp1030.mail.ird.yahoo.com
Received: (qmail 24985 invoked by uid 60001); 30 Jan 2013 13:00:44 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1359550844; bh=+TVZ+isTKgCGpuD5ew+VKVFMo1dLA84ML0Egs2aX3PE=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=LYV5qcZdFmP1fZx2pX4R6aO8djQgC4Uy08Y9ybncLxOpgQkICBhsbqU7byjNbMTLMgD+MUAKYBSLbfDBCMY9O4H8Z2pAzBTx9ifgSafttiuk2vumWoYnL6FvMPHZHm2hnI3nr8FQWRyrNOWsmQD78GgRBaVKwMGCn/Jt8um6rNk=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.co.uk;
h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type;
b=KjLdF07SokxGJ1jwvRTKuli1Gsn4ajcWEUv27E4jdjU4kkMsCtwZUQ7hsVVy1pW5Tz7iUbe62x5nC3gDx2l7QcDDdrvss4x7XIk2E7apb8bkGsUpcUaEOMNf/7QNmQwu3fbax8g7LbNyJbRepPp0S/jlLDzSe4trHehY1ER3SbU= ;
X-YMail-OSG: uzI6R8AVM1kx3zCCTaM6RH8iV7NEA8D9fG0AxHwb8fSXBTY
8kCu1qAlO8V1oROpxXvEs.omV0M8y_Fk605YWNM1mAbE714LdImioVny2yfc
JGhX1M2svCPtJT0Fu8bMouG8evcQ18MpPRAmcWMZWpQXJcMpTIQdjBPH8pa3
W17RcHqA.5mjLIQ20gAj7NJZ4kN7M7V4E3bKZa1BSsoGxsCFDuUSmyd_WZw_
Fzq3Ey.vGwTU2OKGGzrce2i8Z3SZU5qZZqxgOkCIsNa9HN7RjYC.R2Q58rDz
i9Yz6.Gm.Lhek_w7Xm5scE0151VqpXbGFG.R6zVccGeJn1eo0ZoG2Aa016MJ
k2IdpvR8lL4bGsRdORFLo1PKTQaIvhJ8hBfAe8rNn_sY0kzKuafB2eOHdPJW
_lYNK8VlvXT8br8kCQ8W8EcD6WSslzX75x6dTlw.D_3aRP2jqDN.6cxhlruI
qnGQm9ne0EYryiMTyTAM0nYOYD0mDJeIOckl3Rs1gG.Vye.hWkk6GTdtBiAJ
WK_Vl.rf7_DWHYd3ig0k54f.QMPFjnAjNuz4LvnlujAaeRpYNDc0hQWLrGI9
nokFuEjmmQHsN6_mHjrugOXtL80Lt5BCMys0hc.sh_KUj7nX7ZPt_EJBdP5m
6ytyN_HTDZRkVx3Un463QpTacx47Y3oisC20gl4p6ckCkFM5buhAoyZ4qleC
kI0EQcrjSz3Tw67Jz_brHpN7.vy229c1Wk.VUW7kfHLPx52tgmvexLLBrR6S
Su03G0YsvOTdf.F2WhZAktVs1BOB6rzlL_snzbNeLjVqW0CM8yy7XTC_u7Sl
P4DMtOfX4oSA-
Received: from [78.129.190.172] by web172505.mail.ir2.yahoo.com via HTTP; Wed, 30 Jan 2013 13:00:43 GMT
X-Rocket-MIMEInfo: 001.001,SGVsbG8sCgpQbGVhc2UgdmlldyB0aGUgZG9jdW1lbnQgaSB1cGxvYWRlZCBmb3IgeW91IHVzaW5nIEdvb2dsZSBkb2NzLiDCoENMSUNLIEhFUkXCoCBBbmQgc2lnbiBpbiB3aXRoIHlvdXIgcGVyc29uYWwgZW1haWwgdG8gdmlldyB0aGUgZG9jdW1lbnQgaXRzIHZlcnkgaW1wb3J0YW50LiAKClRoYW5rcy4BMAEBAQE-
X-Mailer: YahooMailWebService/0.8.131.499
Message-ID: <1359550843.351.YahooMailNeo@web172505.mail.ir2.yahoo.com>
Date: Wed, 30 Jan 2013 13:00:43 +0000 (GMT)
From: ########## <########@yahoo.co.uk>
Reply-To: ####### <#########@yahoo.co.uk>
To: undisclosed recipients: ;
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="342106908-713075247-1359550843=:351"
X-PN-Virus-Filtered: by PlusNet MXCore (v5.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v5.00)
Subject: Important Document
X-Brightmail-Tracker: AAAAARzjB/s=
X-Brightmail-Tracker: AAAAAA==

and for the message source:

Return-path: <########@yahoo.co.uk>
Envelope-to: #######@########.plus.com
Delivery-date: Wed, 30 Jan 2013 13:00:47 +0000
Received: from [212.159.8.109] (helo=avasin07.plus.net)
      by inmx07.plus.net with esmtp (PlusNet MXCore v2.00) id 1U0XHT-0002pQ-Ju
      for ######@######.plus.com; Wed, 30 Jan 2013 13:00:47 +0000
Received: from nm12-vm1.bullet.mail.ird.yahoo.com ([77.238.189.204])
   by avasin07.plus.net with Plusnet Cloudmark Gateway
   id uD0l1k00K4R2mVZ01D0ngu; Wed, 30 Jan 2013 13:00:47 +0000
X-CM-Score: 0.00
X-CNFS-Analysis: v=2.0 cv=e4HYv9V/ c=1 sm=1 a=F/Jg3Tq2+rTxA150FTDbHA==:17
a=PLmm6w-6prgA:10 a=7iGtFnJ6Z08A:10 a=zzxzp6Hi2ogA:10 a=Y1b8bm_hOb0A:10
a=BrDiTsk0AAAA:8 a=CjxXgO3LAAAA:8 a=dnSwayA-ywAA:10 a=inZ3FAaGFssnqmqCnawA:9
a=wPNLvfGTeEIA:10 a=NcHqk9j-AAAA:8 a=gsg6zVp6O6jfCEobWkIA:9 a=_W_S_7VecoQA:10
a=-quq4kdlCHjtyVoJ:21 a=XycoWaI3ngXo+/RwspEoXg==:117
Received: from [212.82.105.245] by nm12.bullet.mail.ird.yahoo.com with NNFMP; 30 Jan 2013 13:00:45 -0000
Received: from [212.82.108.121] by tm17.bullet.mail.ird.yahoo.com with NNFMP; 30 Jan 2013 13:00:45 -0000
Received: from [127.0.0.1] by omp1030.mail.ird.yahoo.com with NNFMP; 30 Jan 2013 13:00:45 -0000
X-Yahoo-Newman-Property: ymail-5
X-Yahoo-Newman-Id: 401612.84882.bm@omp1030.mail.ird.yahoo.com
Received: (qmail 24985 invoked by uid 60001); 30 Jan 2013 13:00:44 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1359550844; bh=+TVZ+isTKgCGpuD5ew+VKVFMo1dLA84ML0Egs2aX3PE=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=LYV5qcZdFmP1fZx2pX4R6aO8djQgC4Uy08Y9ybncLxOpgQkICBhsbqU7byjNbMTLMgD+MUAKYBSLbfDBCMY9O4H8Z2pAzBTx9ifgSafttiuk2vumWoYnL6FvMPHZHm2hnI3nr8FQWRyrNOWsmQD78GgRBaVKwMGCn/Jt8um6rNk=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.co.uk;
h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type;
b=KjLdF07SokxGJ1jwvRTKuli1Gsn4ajcWEUv27E4jdjU4kkMsCtwZUQ7hsVVy1pW5Tz7iUbe62x5nC3gDx2l7QcDDdrvss4x7XIk2E7apb8bkGsUpcUaEOMNf/7QNmQwu3fbax8g7LbNyJbRepPp0S/jlLDzSe4trHehY1ER3SbU= ;
X-YMail-OSG: uzI6R8AVM1kx3zCCTaM6RH8iV7NEA8D9fG0AxHwb8fSXBTY
8kCu1qAlO8V1oROpxXvEs.omV0M8y_Fk605YWNM1mAbE714LdImioVny2yfc
JGhX1M2svCPtJT0Fu8bMouG8evcQ18MpPRAmcWMZWpQXJcMpTIQdjBPH8pa3
W17RcHqA.5mjLIQ20gAj7NJZ4kN7M7V4E3bKZa1BSsoGxsCFDuUSmyd_WZw_
Fzq3Ey.vGwTU2OKGGzrce2i8Z3SZU5qZZqxgOkCIsNa9HN7RjYC.R2Q58rDz
i9Yz6.Gm.Lhek_w7Xm5scE0151VqpXbGFG.R6zVccGeJn1eo0ZoG2Aa016MJ
k2IdpvR8lL4bGsRdORFLo1PKTQaIvhJ8hBfAe8rNn_sY0kzKuafB2eOHdPJW
_lYNK8VlvXT8br8kCQ8W8EcD6WSslzX75x6dTlw.D_3aRP2jqDN.6cxhlruI
qnGQm9ne0EYryiMTyTAM0nYOYD0mDJeIOckl3Rs1gG.Vye.hWkk6GTdtBiAJ
WK_Vl.rf7_DWHYd3ig0k54f.QMPFjnAjNuz4LvnlujAaeRpYNDc0hQWLrGI9
nokFuEjmmQHsN6_mHjrugOXtL80Lt5BCMys0hc.sh_KUj7nX7ZPt_EJBdP5m
6ytyN_HTDZRkVx3Un463QpTacx47Y3oisC20gl4p6ckCkFM5buhAoyZ4qleC
kI0EQcrjSz3Tw67Jz_brHpN7.vy229c1Wk.VUW7kfHLPx52tgmvexLLBrR6S
Su03G0YsvOTdf.F2WhZAktVs1BOB6rzlL_snzbNeLjVqW0CM8yy7XTC_u7Sl
P4DMtOfX4oSA-
Received: from [78.129.190.172] by web172505.mail.ir2.yahoo.com via HTTP; Wed, 30 Jan 2013 13:00:43 GMT
X-Rocket-MIMEInfo: 001.001,SGVsbG8sCgpQbGVhc2UgdmlldyB0aGUgZG9jdW1lbnQgaSB1cGxvYWRlZCBmb3IgeW91IHVzaW5nIEdvb2dsZSBkb2NzLiDCoENMSUNLIEhFUkXCoCBBbmQgc2lnbiBpbiB3aXRoIHlvdXIgcGVyc29uYWwgZW1haWwgdG8gdmlldyB0aGUgZG9jdW1lbnQgaXRzIHZlcnkgaW1wb3J0YW50LiAKClRoYW5rcy4BMAEBAQE-
X-Mailer: YahooMailWebService/0.8.131.499
Message-ID: <1359550843.351.YahooMailNeo@web172505.mail.ir2.yahoo.com>
Date: Wed, 30 Jan 2013 13:00:43 +0000 (GMT)
From: ####### <########@yahoo.co.uk>
Reply-To: ####### <#########@yahoo.co.uk>
To: undisclosed recipients: ;
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="342106908-713075247-1359550843=:351"
X-PN-Virus-Filtered: by PlusNet MXCore (v5.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v5.00)
Subject: Important Document
X-Brightmail-Tracker: AAAAARzjB/s=
X-Brightmail-Tracker: AAAAAA==

--342106908-713075247-1359550843=:351
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Hello,=0A=0APlease view the document i uploaded for you using Google docs. =
=A0CLICK HERE=A0 And sign in with your personal email to view the document =
its very important. =0A=0AThanks.
--342106908-713075247-1359550843=:351
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

<html><body><div style=3D"color:#000; background-color:#fff; font-family:ga=
ramond, new york, times, serif;font-size:14pt"><div>=0A</div><div class="3D""=
p1">Hello,</div>=0A<div class="3D""p2"><br></div>=0A<div class="3D""p1">Please =
view the document i uploaded for you using Google docs. <span class="3D""Appl=
e-converted-space"> </span><span class="3D""s1"> <a href=3D"http://mob.s=
xeadulttoys.com.au/googledoc/googledocss/sss/"><span class="3D""s2">CLICK HER=
E</span></a></span><span class="3D""Apple-converted-space">  </span>And =
sign in with your personal email to view the document its very important.=
=0A</div>=0A<div class="3D""p2"><br></div>=0A<div class="3D""p1">Thanks.</div>=
=0A=0A=0A</div></body></html>
--342106908-713075247-1359550843=:351--

Trethbos · February 10, 2013, 1:32pm

For my own safety I have deleted my rouge emails, but look forward to any comments.

Email link to active threat - "Import Message" in subject

Announcements