Email “LogMeIn Account Notification – Account locked” contains malicious URL


MX Lab, http://www.mxlab.eu, started to intercept emails with the subject “LogMeIn Account Notification – Account locked”. This email is send from the spoofed address “LogMeIn.com Auto-Mailer <do-not-reply@logmein.com>” and has the following body:

Dear LogMeIn User,

Your LogMeIn.com account has been locked due to several unsuccessful login attempts.

Event: Account locked
Source: Website
At: 3/6/2013 4:46 AM
From: 42.12.172.6

To unlock your account, you will need to complete the following unlock form :
hxxps://secure.logmein.com/download.asp?action=unlock&form_id=6482653

After the form has been completed, forward a scanned copy to security@logmein.com.
(Please do not reply to this email, as it’s sent from an address that’s not monitored.)

If you need additional help, visit LogMeIn Support at:
http://help.logmein.com/SelfServiceTicketSupportSales?support=1&lang=en

Regards,

LogMeIn.com Support

The malicious URL downloads a ZIP file with the name logmein_unlock_form.zip that contains the 260 kB large file logmein_unlock_form.pif.

The trojan is known as Trojan.Win32.Agent.AMN (A), a variant of Win32/Kryptik.ASTO, Trojan-Spy:W32/Zbot.BBHD, UDS:DangerousObject.Multi.Generic, Trojan.Zbot or Troj/Agent-AANP.

The following process will be created:

umgio.exe

The following Host Name was requested from a host database: 192.5.5.241.

Several Windows registry changes will be exectued and the trojan can establish connection with the domein 249a2efd08167c5c.com on port 80.

At the time of writing, 5 of the 46 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: f4c024350b23bb0b5318f07618f85b9de802e3289aa7e9f4e2759549da5ccd6e.

5 thoughts on “Email “LogMeIn Account Notification – Account locked” contains malicious URL

  1. I just got this at my .edu email, I scaned the zip with MSE but it didn’t find the trojan. LogMeIn should put something on their website warning people about this.

  2. This is also good.
    The software works well, Ammyy Admin doesn’t require installation or specific config, works behind gateways NAT as well as within one LAN.

Comments are closed.