[ale] OT: Help me figure out what is happening?

Geoffrey esoteric at 3times25.net
Fri Feb 22 00:10:51 EST 2002


I suspect the *.jar file is a java archive.  I've seen *.xpi files when 
downloading a java plugin for mozilla.  That certainly doesn't provide a 
solution, but might give you a bit more insight.

All I've got to say is, what kind of completely stupid company would 
send a windows executable?  That really takes the cake.  I don't envy 
your position as the job seeker.

You don't have a spare windows box laying around you could risk?

I don't know what kind of timeframe you're operating in, but I've got an 
old install of NT on vmware I was about to trash.  I'd be glad to open 
that puppy up on that sandbox if you'd like.  Problem is, what do you do 
next???

Jeff Hubbs wrote:
> I applied for a job yesterday and I got an e-mail back with what appears 
> to be a Windows executable attached that I am expected to run in order 
> to fill out and submit some kind of online form.
> 
> I have enough computer security 'fu to know that this is a very, very, 
> bad practice and that every applicant is placed at risk by this 
> practice.  So, I tried to fire it up under Wine to see what would 
> happen.  Wine churns for a while and I eventually get an error box 
> titled "OmniForm Mailable Filler" that says "Failed to launch 
> application."  I did just a bit of Google research on this app.  I want 
> to e-mail these people back and tell them that due to security concerns 
> I don't want to run this application; for those of us to whom the 
> reasons aren't plainly obvious, it's mostly because I have no way to 
> know if this binary has gotten virus-infected along the way and that 
> even if I had a Windows machine with anti-virus software, it isn't going 
> to be any more effective at detecting such a virus than any AV software 
> the sender used on it (presuming they even bothered). 
> Anyway, my question to you is this:  I pulled this command line out of 
> /proc - can you tell me what OmniForm Mailable Filler is attempting to 
> do here?
> 
> /usr/bin/winereal--E:\EXEbaeb.tmp"E:\OFMbaec.tmp""F:\tmp\wine_c\JobAPPComplete.exe"\ 
> 
> http://www.eomniform.com/OF5/nsplugins/OFMailX.cab 
> http://www.eomniform.com/OF5/nsplugins/OFMailNP.jar \
> http://www.eomniform.com/OF5/nsplugins/OFMailNP.xpi
> 
> Note:   "F:\tmp\wine_c\JobAPPComplete.exe" is the Windows filespec as 
> seen by Wine to refer to the app in question.
> 
> Without drilling real deeply here, it looks to me that the app tries to 
> call up other Web-downloaded code (.cab, .jar), which would seem to 
> further amplify the security risk (add to the virus risk the idea that I 
> have no idea what all this stuff wants to do in my system).  Looking 
> through my Google findings suggests that OmniForm Mailable Filler makes 
> use of browser plugins. 
> If I had to guess, I'd suppose that the downloaded code constitutes an 
> SMTP UA, mailing my inputted data to some mail server somewhere (begs 
> the question, how am I being authenticated?). 
> - Jeff
> 
> 
> 
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems 
> should be sent to listmaster at ale dot org.
> 
> 


-- 
Until later: Geoffrey		esoteric at 3times25.net

I didn't have to buy my radio from a specific company to listen
to FM, why doesn't that apply to the Internet (anymore...)?


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list