Date: Wed, 23 Jan 2013 16:55:46 +0100The malicious payload is at [donotclick]canonicalgrumbles.biz/closest/984y3fh8u3hfu3jcihei.php (report here) hosted on 126.96.36.199 (Ukranian Hosting / ukrainianhosting.com)
From: ".Анисимов@direct.nacha.org" [firstname.lastname@example.org]
Subject: Direct Deposit payment was declined
Attn: Accounting Department
We regret to inform you, that your latest Direct Deposit transaction (#432007776488) was declined,because of your current Direct Deposit software being out of date. The detailed information about this matter is available in the secure section of our web site:
Click here for more information
Please contact your financial institution to get the necessary updates of the Direct Deposit software.
ACH Network Rules Department
NACHA - The Electronic Payments Association
10608 Sunrise Valley Drive, Suite 452
Herndon, VA 20169
Phone: 703-561-4685 Fax: 703-787-1154
I've seen other malware servers in 188.8.131.52/21 before, I would recommend blocking the whole lot.