Suspicious mails from FarSight with Word attachment, probably Virus

[Xanija]

Hey guys, I received 2 same mails from FarSight on different mail addresses, most likely containing a macro virus. File attached was "request.doc" and those were replies to mails from me.

Please be careful if you had e-mail contact with someone from FarSight before.

 

[jonesjb]

Hey guys, I received 2 same mails from FarSight on different mail addresses, most likely containing a macro virus. File attached was "request.doc" and those were replies to mails from me.

Please be careful if you had e-mail contact with someone from FarSight before.

I checked and received a similar email. Didn't try opening the attachment.

 

[debuggiest]

Me too. DON'T OPEN IT.

https://www.virustotal.com/#/file/8...7fc9c96244f51e4f7b3a84b9dac0e6932b5cc/details

 

[BostonBuckeye]

Thanks for the head's up Xanija. Just checked my inbox and nothing yet.

 

[Xanija]

By the way, I already informed Mike Lindsey about this. So please don't spam his account with mails about this, thanks

 

[debuggiest]

Decided to look at the header... not sure if this will help find out which machine is infected.

Delivered-To: me@gmail.com
Received: by 2002:a4a:468e:0:0:0:0:0 with SMTP id q14-v6csp3965928ood;
Mon, 18 Jun 2018 04:13:27 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKJJo5tL5TgsZqvhNQw8vHHlf1wf/drD+wvCz/aGga48Jr9XnsyIAxyLiDvhzcXzxIkAy7HO
X-Received: by 2002:a0c:becb:: with SMTP id f11-v6mr10167268qvj.18.1529320406987;
Mon, 18 Jun 2018 04:13:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1529320406; cv=none;
d=google.com; s=arc-20160816;
b=0CGvJlx1HzLeopSNmGxBSgiXyouv1HgjEelG11w9WgS4YdVCkcU8tPUvEJ4l5Mvh5f
pE4XNMfuJiN9kEsmHaRoi687q7AgfU9jPk5lqFrZGBqNXggH9DueCxzH/7L95Eaj6wak
brN6O1hBFCGZG6UDOVTSRNEy8hLnHkoJzp4CWNe8170PzEQXl1FC+tMlPvekqLpEwWq8
vF6v44T36MHWqnfJjnV/G2X0UQTbgIeCaG5E/WpGqYIo2pMehlSFULqg4gKPc+sRfDJR
f3jN2JnzaDfM44sA/tJfd0exK05io/VoRLzPBccOtW0EkvdHomjENXD3wEoaNYlTVWgZ
IekQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=mime-version:references:in-reply-to:message-id:subject:from:to:date
:arc-authentication-results;
bh=kKPRm9o/iUXmu0n2QapmZBJRZPnfPRerEGawz019LL8=;
b=pPUUY+U4s2Az5dQ8anwbLhaWQ1zAIF1+ASJioOonWkkiNoWiz4iZARYgzh+ancf3Gx
ObVw/OkWYfKt6ZMmMD15ax4CEHaRAMsiF30g7v06lVJbnKiD2SIid2u7ofCEkIglaLEE
CWREIq6ahw2LaKTKxoNhmLCtb20gF1AGyxTOf/jx2H5iuzsbjC7yb51mE6jbsgG8tBKR
GQxW3JJ55fup+2/KyWHOVsXyUICHJ2/79ldditjuAR270wgyw/230zRewjb+XWlb+I0p
QTMI3wAp/wSKg2NAW4FErsfsIijj5yNp/UXODIZIjXTp6lz8OseqVW9hiPSlSlGDHMzK
dW8A==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of support@farsightstudios.com designates 146.20.161.73 as permitted sender) smtp.mailfrom=support@farsightstudios.com
Return-Path: <support@farsightstudios.com>
Received: from smtp73.iad3b.emailsrvr.com (smtp73.iad3b.emailsrvr.com. [146.20.161.73])
by mx.google.com with ESMTPS id u67-v6si2595399qkh.225.2018.06.18.04.13.26
for <me@gmail.com>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Mon, 18 Jun 2018 04:13:26 -0700 (PDT)
Received-SPF: pass (google.com: domain of support@farsightstudios.com designates 146.20.161.73 as permitted sender) client-ip=146.20.161.73;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of support@farsightstudios.com designates 146.20.161.73 as permitted sender) smtp.mailfrom=support@farsightstudios.com
Received: from smtp18.relay.iad3b.emailsrvr.com (localhost [127.0.0.1]) by smtp18.relay.iad3b.emailsrvr.com (SMTP Server) with ESMTP id 6BB8AE0087 for <me@gmail.com>; Mon, 18 Jun 2018 07:13:26 -0400 (EDT)
X-Auth-ID: support@farsightstudios.com
Received: by smtp18.relay.iad3b.emailsrvr.com (Authenticated sender: support-AT-farsightstudios.com) with ESMTPSA id 50615E006A for <me@gmail.com>; Mon, 18 Jun 2018 07:13:25 -0400 (EDT)
X-Sender-Id: support@farsightstudios.com
Received: from localhost (ool-6c3a4973.static.optonline.net [108.58.73.115]) (using TLSv1.2 with cipher DHE-RSA-AES128-GCM-SHA256) by 0.0.0.0:25 (trex/5.7.12); Mon, 18 Jun 2018 07:13:26 -0400

 

[Mike Lindsey]

Hey Guys! My phone started blowing up at around 3AM with bounces. Not sure what happened just yet but don't open! Definitely malicious.

 

[blindpeser]

Nice, another step downward. I opened the attachment on my phone.

 

[debuggiest]

I don't think its fair to harshly chastise FS for this, sure it sucks, but its pretty easy for people to pick up viruses. You'd be surprised how many doctors and medical staff don't know how to use a computer safely for example.

 

[EldarOfSuburbia]

I already didn't open it. I mean, it was with regard to an email thread from two or three years ago about a free table I won from the Twitch stream... really odd. Email deleted now!

 

[Kolchak357]

I received a reply from an old email as well. Thought it was very strange. Didn't open the attachment and deleted it.

 

[yespage]

Nice, another step downward. I opened the attachment on my phone.

That was dumb. Almost never open attachments. Why would Farsight send a Word Doc to its customers?

 

[blindpeser]

That was dumb. Almost never open attachments. Why would Farsight send a Word Doc to its customers?

Probably it was. Ich asked for a special list of games and thought the attachment contains this list. But you're right, still dumb. Pretty awesome to get a virus from a trusted IT company though.

 

[EldarOfSuburbia]

Probably it was. Ich asked for a special list of games and thought the attachment contains this list. But you're right, still dumb. Pretty awesome to get a virus from a trusted IT company though.

Believe me, IT pros can be some of the dumbest people when it comes to computer security. In my company (and possibly elsewhere) people are referred to as the "Human Firewall". Ultimately if a human being isn't smart enough to know to leave something alone or better report it as suspicious, there's not much any anti-virus software can do. Attachments are one thing but its the various forms of phishing that catch people out.

 

[timxtr]

I got one of these emails today & didnt open it.
I'm glad this forum is here & youre discussing it.

 

[blindpeser]

Man, Farsight. This ist a desaster. "Hey folks, we sent a virus to you. Just make a scan. We are out, rest is up to you." Could we please get any information on this? Does this one just work on windows? My free Kaspersky mobile edition didnt detect anything. Please give us a tutorial how to get rid of this thing.

 

[shogun00]

Man, Farsight. This ist a desaster. "Hey folks, we sent a virus to you. Just make a scan. We are out, rest is up to you." Could we please get any information on this? Does this one just work on windows? My free Kaspersky mobile edition didnt detect anything. Please give us a tutorial how to get rid of this thing.

Yeah, it's a Windows virus. It doesn't work on Linux, Mac, iOS, or Android OS.

 

[blindpeser]

Thanks mate!

 

[FarSight_Matt]

It looks like it's just that year old Google documents phishing scammer.

 

[NotQuickEnoughToNudge]

Just received same request.doc, which windows defender reported as containing a Trojan. It was attached to an email that I had sent almost 3 years ago! Delete immediately if received [do not download].