Email “LogMeIn Account Notification – Account locked” contains malicious URL

MX Lab,, started to intercept emails with the subject “LogMeIn Account Notification – Account locked”. This email is send from the spoofed address “ Auto-Mailer <>” and has the following body:

Dear LogMeIn User,

Your account has been locked due to several unsuccessful login attempts.

Event: Account locked
Source: Website
At: 3/6/2013 4:46 AM

To unlock your account, you will need to complete the following unlock form :

After the form has been completed, forward a scanned copy to
(Please do not reply to this email, as it’s sent from an address that’s not monitored.)

If you need additional help, visit LogMeIn Support at:

Regards, Support

The malicious URL downloads a ZIP file with the name that contains the 260 kB large file logmein_unlock_form.pif.

The trojan is known as Trojan.Win32.Agent.AMN (A), a variant of Win32/Kryptik.ASTO, Trojan-Spy:W32/Zbot.BBHD, UDS:DangerousObject.Multi.Generic, Trojan.Zbot or Troj/Agent-AANP.

The following process will be created:


The following Host Name was requested from a host database:

Several Windows registry changes will be exectued and the trojan can establish connection with the domein on port 80.

At the time of writing, 5 of the 46 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: f4c024350b23bb0b5318f07618f85b9de802e3289aa7e9f4e2759549da5ccd6e.

5 thoughts on “Email “LogMeIn Account Notification – Account locked” contains malicious URL

  1. I just got this at my .edu email, I scaned the zip with MSE but it didn’t find the trojan. LogMeIn should put something on their website warning people about this.

  2. This is also good.
    The software works well, Ammyy Admin doesn’t require installation or specific config, works behind gateways NAT as well as within one LAN.

Comments are closed.