[ale] OT: Help me figure out what is happening?

Jeff Hubbs hbbs at attbi.com
Thu Feb 21 23:05:47 EST 2002


I applied for a job yesterday and I got an e-mail back with what appears 
to be a Windows executable attached that I am expected to run in order 
to fill out and submit some kind of online form.

I have enough computer security 'fu to know that this is a very, very, 
bad practice and that every applicant is placed at risk by this 
practice.  So, I tried to fire it up under Wine to see what would 
happen.  Wine churns for a while and I eventually get an error box 
titled "OmniForm Mailable Filler" that says "Failed to launch 
application."  I did just a bit of Google research on this app.  I want 
to e-mail these people back and tell them that due to security concerns 
I don't want to run this application; for those of us to whom the 
reasons aren't plainly obvious, it's mostly because I have no way to 
know if this binary has gotten virus-infected along the way and that 
even if I had a Windows machine with anti-virus software, it isn't going 
to be any more effective at detecting such a virus than any AV software 
the sender used on it (presuming they even bothered).  

Anyway, my question to you is this:  I pulled this command line out of 
/proc - can you tell me what OmniForm Mailable Filler is attempting to 
do here?

/usr/bin/winereal--E:\EXEbaeb.tmp"E:\OFMbaec.tmp""F:\tmp\wine_c\JobAPPComplete.exe"\
http://www.eomniform.com/OF5/nsplugins/OFMailX.cab 
http://www.eomniform.com/OF5/nsplugins/OFMailNP.jar \
http://www.eomniform.com/OF5/nsplugins/OFMailNP.xpi

Note:   "F:\tmp\wine_c\JobAPPComplete.exe" is the Windows filespec as 
seen by Wine to refer to the app in question.

Without drilling real deeply here, it looks to me that the app tries to 
call up other Web-downloaded code (.cab, .jar), which would seem to 
further amplify the security risk (add to the virus risk the idea that I 
have no idea what all this stuff wants to do in my system).  Looking 
through my Google findings suggests that OmniForm Mailable Filler makes 
use of browser plugins.  

If I had to guess, I'd suppose that the downloaded code constitutes an 
SMTP UA, mailing my inputted data to some mail server somewhere (begs 
the question, how am I being authenticated?).  

- Jeff




---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list