Malware spotted in LogMeIn “Account locked” Notification
For all the LogMeIn users out here I spotted some potential Malware via my inbox yesterday and thought I will let you know.
LogMeIn Notification - Malware
I received a notification from LogMeIn (do-not-reply@logmein.com) stating LogMeIn Account Notification – Account locked. Since I do not have a LogMeIn account on this email address I was immediately suspicious and decided to investigate further.
The e-mail address looks authentic but could have been spoofed (Later confirmed by many Anti Virus providers). Next I investigated the clickable links on the e-mail. The text displayed seemed shows a “secure.logmein.com” address, but if you hover the mouse over the link (to reveal the actual link), it is linking to another site. In my case (barbeauvitresdautos.com/Scripts/logmein_unlock_form.zip).
At this point it is immediately clear that this is a malware e-mail and that I should not click the link.
According to MXlab, an e-mail security company, the virus has the following attack pattern.
The malicious URL downloads a ZIP file with the name logmein_unlock_form.zip that contains the 260 kB large file logmein_unlock_form.pif.
The trojan is known as Trojan.Win32.Agent.AMN (A), a variant of Win32/Kryptik.ASTO, Trojan-Spy:W32/Zbot.BBHD, UDS:DangerousObject.Multi.Generic, Trojan.Zbot or Troj/Agent-AANP.
The following process will be created:
umgio.exe
The following Host Name was requested from a host database: 192.5.5.241.
Several Windows registry changes will be executed and the trojan can establish connection with the domein 249a2efd08167c5c.com on port 80.
Here are some easy steps to protect your PC/MAC from being infected by virus like this.
- Invest in decent anti-virus/spam scanning software. Speak to an expert if you are not sure which one to get.
- When you do not expect an e-mail be suspicious and contact your provider or the sender of the e-mail to check its validity of the source before clicking on any links.
- If you are infected, act immediately. The longer you wait the bigger your potential issues might be.
This is also good.
The software works well, Ammyy Admin doesn’t require installation or specific config, works behind gateways NAT as well as within one LAN.