Malware spotted in LogMeIn “Account locked” Notification
For all the LogMeIn users out here I spotted some potential Malware via my inbox yesterday and thought I will let you know.
I received a notification from LogMeIn (email@example.com) stating LogMeIn Account Notification – Account locked. Since I do not have a LogMeIn account on this email address I was immediately suspicious and decided to investigate further.
The e-mail address looks authentic but could have been spoofed (Later confirmed by many Anti Virus providers). Next I investigated the clickable links on the e-mail. The text displayed seemed shows a “secure.logmein.com” address, but if you hover the mouse over the link (to reveal the actual link), it is linking to another site. In my case (barbeauvitresdautos.com/Scripts/logmein_unlock_form.zip).
At this point it is immediately clear that this is a malware e-mail and that I should not click the link.
According to MXlab, an e-mail security company, the virus has the following attack pattern.
The malicious URL downloads a ZIP file with the name logmein_unlock_form.zip that contains the 260 kB large file logmein_unlock_form.pif.
The trojan is known as Trojan.Win32.Agent.AMN (A), a variant of Win32/Kryptik.ASTO, Trojan-Spy:W32/Zbot.BBHD, UDS:DangerousObject.Multi.Generic, Trojan.Zbot or Troj/Agent-AANP.
The following process will be created:
The following Host Name was requested from a host database: 22.214.171.124.
Several Windows registry changes will be executed and the trojan can establish connection with the domein 249a2efd08167c5c.com on port 80.
Here are some easy steps to protect your PC/MAC from being infected by virus like this.
- Invest in decent anti-virus/spam scanning software. Speak to an expert if you are not sure which one to get.
- When you do not expect an e-mail be suspicious and contact your provider or the sender of the e-mail to check its validity of the source before clicking on any links.
- If you are infected, act immediately. The longer you wait the bigger your potential issues might be.