По поводу письма с которого произошло заражение, похоже что это было письмо со ссылкой от фирмы Карцлер (у которой мы закупаем канцелярские товары) его текстовое содержание:
Повторно.
Напоминаем, что вами неоплачен последний счет за поставку канцтоваров. Нам нужно закрыть отчетный период.
Просим оплатить на этой неделе. Счет высылаем еще раз [удалено]
С уважением,
Нина Вячеславовна Попова
Коммерческий директор ООО "Канцлер"
г. Пенза, проспект Строителей 45А
ТЦ "Космос-Сити"
Тел. +7 (8412) 40-88-40
по ссылке приводит на адрес: [удалено]
Попробовал сейчас поискать сам файл на компьютере, не нашел, остались только ярлыки со ссылкой на этот файл в папке загрузки (Kancler.Oplata.zip)
То что ноги растут отсюда на сейчас подсказали в компании СБис (электронная отчетность в налоговуют) так как они сейчас помогли восстановить с сервера наши базы данных по отчетности. И они сказали что на канслер очень многие жалуются сейчас.
Приведу еще исходник письма канцлера:
Received: from mxback9h.mail.yandex.net ([127.0.0.1])
by mxback9h.mail.yandex.net with LMTP id 8PHiT1Mh
for <
[email protected]>; Tue, 28 Jul 2015 07:17:02 +0300
Received: from forward1h.mail.yandex.net (forward1h.mail.yandex.net [2a02:6b8:0:f05::10])
by mxback9h.mail.yandex.net (nwsmtp/Yandex) with ESMTP id bR2KjeggOS-H11CLcO1;
Tue, 28 Jul 2015 07:17:01 +0300
X-Yandex-Front: mxback9h.mail.yandex.net
X-Yandex-TimeMark: 1438057021
X-Yandex-Spam: 1
Received: from mxfront4h.mail.yandex.net (mxfront4h.mail.yandex.net [84.201.187.136])
by forward1h.mail.yandex.net (Yandex) with ESMTP id E27B99E018F
for <
[email protected]>; Tue, 28 Jul 2015 07:17:01 +0300 (MSK)
Received: from mxfront4h.mail.yandex.net ([127.0.0.1])
by mxfront4h.mail.yandex.net with LMTP id l4XPjy4z
for <
[email protected]>; Tue, 28 Jul 2015 07:17:01 +0300
Received: from mx127.mail.ru (mx127.mail.ru [94.100.188.17])
by mxfront4h.mail.yandex.net (nwsmtp/Yandex) with ESMTPS id mbXIhNEUfC-H0qWYZ6m;
Tue, 28 Jul 2015 07:17:00 +0300
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client certificate not present)
Received: from [90.156.200.21] (ident=mail)
by mx127.mail.ru with local (envelope-from <
[email protected]>)
id 1ZJwK4-0002AC-3P
for
[email protected]; Tue, 28 Jul 2015 07:17:00 +0300
X-ResentFrom: <
[email protected]>
X-MailRu-Forward: 1
Received-SPF: none
Received: from relay-out1.shared.masterhost.ru ([90.156.200.21]:47166)
by mx127.mail.ru with esmtp (envelope-from <
[email protected]>)
id 1ZJwK3-00029D-Il
for
[email protected]; Tue, 28 Jul 2015 07:16:59 +0300
X-Mru-TLS: TLSv1.2:AES128-SHA
X-Mru-BadRcptsCount: 0
X-Mru-PTR: *off*
X-Mru-NR: 1
X-Mru-OF: Linux (Ethernet or modem)
X-Mru-RC: RU
Received: from gen151.hs.shared.masterhost.ru ([87.242.64.162])
by relay1.shared.masterhost.ru with esmtp
envelope from <
[email protected]>
message id 1ZJwK3-0006Xd-Vu
for
[email protected]; Tue, 28 Jul 2015 07:17:00 +0300
Received: from u326258 by gen151.hs.shared.masterhost.ru with local (Exim 4.80)
(envelope-from <
[email protected]>)
id 1ZJwJq-0001ft-Bp
for
[email protected]; Tue, 28 Jul 2015 07:16:46 +0300
To: <
[email protected]>
Subject: =?windows-1251?B?0ffl8iDu8iDOzs4gIsrg7fbr5fAiLiDK4O32?=
=?windows-1251?B?8u7i4PD7?=
X-PHP-Script: xn--80ah0bw.xn--p1ai/tmp/324567.php for 217.23.5.223, 217.23.5.223
X-PHP-Originating-Script: 5287:324567.php
Message-ID: <4DB7FE54E6321E2DF1F4BD22D6DE1E13@174873497834209686430869453>
Reply-To: =?windows-1251?B?zejt4CDP7u/u4uA=?= <
[email protected]>
From: =?windows-1251?B?zejt4CDP7u/u4uA=?= <
[email protected]>
Date: Tue, 28 Jul 2015 07:15:52 +0200
Organization: =?windows-1251?B?zs7OIMrg7fbr5fA=?=
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_00CE_01D0C905.3CA3EDA0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Lua-Profiles: 81531 [Jul 28 2015]
X-KLMS-AntiSpam-Version: 5.5.6
X-KLMS-AntiSpam-Envelope-From:
[email protected]
X-KLMS-AntiSpam-Rate: 0
X-KLMS-AntiSpam-Status: not_detected
X-KLMS-AntiSpam-Method: none
X-KLMS-AntiSpam-Moebius-Timestamps: 3668095, 0, 0
X-KLMS-AntiSpam-Info: LuaCore: 250 250 263d1db7ab7ff8c9df38ac7271e72301eb3858ca, Auth:spf=none smtp.mailfrom=undeliverable.masterhost.ru
X-KLMS-AntiSpam-Interceptor-Info: scan successful
X-KLMS-AntiVirus: Kaspersky Security 8.0 for Linux Mail Server 8.0.0.455, not checked
X-KLMS-AntiVirus-Status: NotChecked: not checked, skipped
X-DMARC-Policy: no
X-Mras: Ok
X-Mru-Authenticated-Sender:
[email protected]
X-Spam: undefined
X-Spam-Status: UNDEF
X-DMARC-Policy: no
X-Mras: Ok
X-Mru-Authenticated-Sender:
[email protected]
X-Yandex-Forward: fd982739a97fc15f0c2e788ee5128efb
Return-Path:
[email protected]
X-Yandex-Forward: 157a2e9b56fc0487448582c2b7282744
X-Yandex-Filter: 2390000000000902090
This is a multi-part message in MIME format.
------=_NextPart_000_00CE_01D0C905.3CA3EDA0
Content-Type: text/plain;
charset="windows-1251"
Content-Transfer-Encoding: quoted-printable
=CF=EE=E2=F2=EE=F0=ED=EE.
=CD=E0=EF=EE=EC=E8=ED=E0=E5=EC, =F7=F2=EE =E2=E0=EC=E8 =ED=E5=EE=EF=EB=E0=
=F7=E5=ED =EF=EE=F1=EB=E5=E4=ED=E8=E9 =F1=F7=E5=F2 =E7=E0 =EF=EE=F1=F2=E0=
=E2=EA=F3 =EA=E0=ED=F6=F2=EE=E2=E0=F0=EE=E2. =CD=E0=EC =ED=F3=E6=ED=EE =E7=
=E0=EA=F0=FB=F2=FC =EE=F2=F7=E5=F2=ED=FB=E9 =EF=E5=F0=E8=EE=E4.
=CF=F0=EE=F1=E8=EC =EE=EF=EB=E0=F2=E8=F2=FC =ED=E0 =FD=F2=EE=E9 =ED=E5=E4=
=E5=EB=E5. =D1=F7=E5=F2 =E2=FB=F1=FB=EB=E0=E5=EC =E5=F9=E5 =F0=E0=E7 http=
://kancler.ru/docs/2015-07/
=D1 =F3=E2=E0=E6=E5=ED=E8=E5=EC,
=CD=E8=ED=E0 =C2=FF=F7=E5=F1=EB=E0=E2=EE=E2=ED=E0 =CF=EE=EF=EE=E2=E0
=CA=EE=EC=EC=E5=F0=F7=E5=F1=EA=E8=E9 =E4=E8=F0=E5=EA=F2=EE=F0 =CE=CE=CE "=
=CA=E0=ED=F6=EB=E5=F0"
=E3. =CF=E5=ED=E7=E0, =EF=F0=EE=F1=EF=E5=EA=F2 =D1=F2=F0=EE=E8=F2=E5=EB=E5=
=E9 45=C0
=D2=D6 "=CA=EE=F1=EC=EE=F1-=D1=E8=F2=E8"
=D2=E5=EB. +7 (8412) 40-88-40
------=_NextPart_000_00CE_01D0C905.3CA3EDA0
Content-Type: text/html;
charset="windows-1251"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Dwindows-1251" http-equiv=3DContent-=
Type>
<META name=3DGENERATOR content=3D"MSHTML 8.00.6001.23588">
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV align=3Dleft><FONT size=3D2 face=3DArial>=CF=EE=E2=F2=EE=F0=ED=EE.</=
FONT></DIV>
<DIV align=3Dleft><FONT size=3D2 face=3DArial></FONT> </DIV>
<DIV align=3Dleft><FONT size=3D2 face=3DArial>=CD=E0=EF=EE=EC=E8=ED=E0=E5=
=EC, =F7=F2=EE =E2=E0=EC=E8 =ED=E5=EE=EF=EB=E0=F7=E5=ED =EF=EE=F1=EB=E5=E4=
=ED=E8=E9=20
=F1=F7=E5=F2 =E7=E0 =EF=EE=F1=F2=E0=E2=EA=F3 =EA=E0=ED=F6=F2=EE=E2=E0=F0=EE=
=E2. =CD=E0=EC =ED=F3=E6=ED=EE =E7=E0=EA=F0=FB=F2=FC </FONT><FO=
NT size=3D2=20
face=3DArial>=EE</FONT><FONT size=3D2 face=3DArial>=F2=F7=E5=F2=ED=FB=E9 =
=EF=E5=F0=E8=EE=E4.</FONT></DIV>
<DIV align=3Dleft><FONT size=3D2 face=3DArial>=CF=F0=EE=F1=E8=EC =EE=EF=EB=
=E0=F2=E8=F2=FC =ED=E0 =FD=F2=EE=E9=20
=ED=E5=E4=E5=EB=E5.</FONT><FONT size=3D2 face=3DArial> </FONT><FONT size=3D=
2 face=3DArial>=D1=F7=E5=F2=20
=E2=FB=F1=FB=EB=E0=E5=EC =E5=F9=E5 =F0=E0=E7 <A=20
href=3D"http://holt.by/language/en-GB/index.html">
http://kancler.ru/docs/=
2015-07/</A></FONT></DIV>
<DIV align=3Dleft><FONT size=3D2 face=3DArial></FONT><FONT size=3D2=20
face=3DArial></FONT> </DIV>
<DIV align=3Dleft><FONT size=3D2 face=3DArial>=D1 =F3=E2=E0=E6=E5=ED=E8=E5=
=EC,</FONT></DIV>
<DIV align=3Dleft><FONT size=3D2 face=3DArial></FONT> </DIV>
<DIV align=3Dleft><FONT size=3D2 face=3DArial>=CD=E8=ED=E0 =C2=FF=F7=E5=F1=
=EB=E0=E2=EE=E2=ED=E0 =CF=EE=EF=EE=E2=E0</FONT></DIV>
<DIV align=3Dleft><FONT size=3D2 face=3DArial></FONT> </DIV>
<DIV align=3Dleft><FONT size=3D2 face=3DArial>=CA=EE=EC=EC=E5=F0=F7=E5=F1=
=EA=E8=E9 =E4=E8=F0=E5=EA=F2=EE=F0 =CE=CE=CE=20
"=CA=E0=ED=F6=EB=E5=F0"</FONT></DIV>
<DIV align=3Dleft><FONT size=3D2 face=3DArial>=E3. =CF=E5=ED=E7=E0, =EF=F0=
=EE=F1=EF=E5=EA=F2 =D1=F2=F0=EE=E8=F2=E5=EB=E5=E9 45=C0<BR>=D2=D6=20
"=CA=EE=F1=EC=EE=F1-=D1=E8=F2=E8"<BR>=D2=E5=EB. +7 (8412) 40-88-40</=
FONT></DIV></BODY></HTML>
------=_NextPart_000_00CE_01D0C905.3CA3EDA0--
Скрыть