Date: Mon, 30 Sep 2013 11:54:15 -0600 [13:54:15 EDT]The attached document is starts with "Documents_" and then has the first part of the recipient's email address as part of the filename. Or that's the way it is meant to work because in practice it will probably be a different recipient in the same domain. Inside is an executable file with the date encoded into the filename (in this case Documents_09302013.exe).
From: Bryon Faulkner [Bryon.Faulkner@wellsfargo.com]
Subject: Important Documents
Please review attached documents.
Wells Fargo Advisors
817-380-3921 cell Bryon.Faulkner@wellsfargo.com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103
CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.
The executable file is (obviously) malware, and has a VirusTotal detection rate of just 3/48. Automated analysis    shows an attempted connection to the site demandtosupply.com on 220.127.116.11 (ioMart, UK) which is a server spotted in a similar attack a few weeks ago.
Unfortunately, where more than one domain on a server is compromised then it looks like the bad guys have complete control of the server and can do what they like. There are a number of legitimate sites (including one IT security company) on this box (listed below), so exercise caution if deciding to block them.
Sites hosted on 18.104.22.168, for information only: