I received an email message from Logmein in my inbox. Fortunately I was out of the office and could not look at this until all of my tasks were complete. The title of the message is “Automatic payment failed – Credit Card rejected”. There is a Microsoft Word attachment to this message also. The anti-virus and malware companies were busy today with 32 out of 57 adding a signature for the Trojan that is embedded in the Word document. This message does not include a logo for Logmein in the message.
Checking the file tab, then the properties box in Outlook allowed me to view the header information in the message. The sending mail server was located in the telecomitalia.it domain. Logmein headquarters is in Boston, Massachusetts. From the Logmein contact us page they do not have an office in Italy. The message id field in the message has TOL70HFR.email@example.com showing that rogueapp.com generated the message. Rogueapp.com was registered in August of 2000. The web site proclaims that it is the “Home of projects – literally numbering in the single digits – that languish in a place called ‘90% finished’.” These funny guys have yet to register iamacrook.com, this domain is still available.
The sender id result on the message header shows that it failed. If you were using Office 365 for your email server this message could have been blocked. In the exchange protection advanced setting you can mark all messages that fail the sender id test as spam. This will cause ligament messages without SPF configured correctly to not reach your inbox.
When I downloaded the attached file to my computer Microsoft Security Essentials scanned the file and found the malware. I only have the date the virus was detected by Microsoft not the time. At the virus total web site this file is also in email messages that claim to be from the IRS complaint department.