[ale] OT: Help me figure out what is happening?
Jeff Hubbs
hbbs at attbi.com
Thu Feb 21 23:05:47 EST 2002
I applied for a job yesterday and I got an e-mail back with what appears
to be a Windows executable attached that I am expected to run in order
to fill out and submit some kind of online form.
I have enough computer security 'fu to know that this is a very, very,
bad practice and that every applicant is placed at risk by this
practice. So, I tried to fire it up under Wine to see what would
happen. Wine churns for a while and I eventually get an error box
titled "OmniForm Mailable Filler" that says "Failed to launch
application." I did just a bit of Google research on this app. I want
to e-mail these people back and tell them that due to security concerns
I don't want to run this application; for those of us to whom the
reasons aren't plainly obvious, it's mostly because I have no way to
know if this binary has gotten virus-infected along the way and that
even if I had a Windows machine with anti-virus software, it isn't going
to be any more effective at detecting such a virus than any AV software
the sender used on it (presuming they even bothered).
Anyway, my question to you is this: I pulled this command line out of
/proc - can you tell me what OmniForm Mailable Filler is attempting to
do here?
/usr/bin/winereal--E:\EXEbaeb.tmp"E:\OFMbaec.tmp""F:\tmp\wine_c\JobAPPComplete.exe"\
http://www.eomniform.com/OF5/nsplugins/OFMailX.cab
http://www.eomniform.com/OF5/nsplugins/OFMailNP.jar \
http://www.eomniform.com/OF5/nsplugins/OFMailNP.xpi
Note: "F:\tmp\wine_c\JobAPPComplete.exe" is the Windows filespec as
seen by Wine to refer to the app in question.
Without drilling real deeply here, it looks to me that the app tries to
call up other Web-downloaded code (.cab, .jar), which would seem to
further amplify the security risk (add to the virus risk the idea that I
have no idea what all this stuff wants to do in my system). Looking
through my Google findings suggests that OmniForm Mailable Filler makes
use of browser plugins.
If I had to guess, I'd suppose that the downloaded code constitutes an
SMTP UA, mailing my inputted data to some mail server somewhere (begs
the question, how am I being authenticated?).
- Jeff
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.
More information about the Ale
mailing list