MX Lab, http://www.mxlab.eu, started to intercept emails with the subject “LogMeIn Account Notification – Account locked”. This email is send from the spoofed address “LogMeIn.com Auto-Mailer <firstname.lastname@example.org>” and has the following body:
Dear LogMeIn User,
Your LogMeIn.com account has been locked due to several unsuccessful login attempts.
Event: Account locked
At: 3/6/2013 4:46 AM
To unlock your account, you will need to complete the following unlock form :
After the form has been completed, forward a scanned copy to email@example.com.
(Please do not reply to this email, as it’s sent from an address that’s not monitored.)
If you need additional help, visit LogMeIn Support at:
The malicious URL downloads a ZIP file with the name logmein_unlock_form.zip that contains the 260 kB large file logmein_unlock_form.pif.
The trojan is known as Trojan.Win32.Agent.AMN (A), a variant of Win32/Kryptik.ASTO, Trojan-Spy:W32/Zbot.BBHD, UDS:DangerousObject.Multi.Generic, Trojan.Zbot or Troj/Agent-AANP.
The following process will be created:
The following Host Name was requested from a host database: 188.8.131.52.
Several Windows registry changes will be exectued and the trojan can establish connection with the domein 249a2efd08167c5c.com on port 80.
At the time of writing, 5 of the 46 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: f4c024350b23bb0b5318f07618f85b9de802e3289aa7e9f4e2759549da5ccd6e.