Pegasus Mail and Viruses.

Here is David Harris's reaction:

---------- Forwarded message ----------

Mr Ghory has posted an announcement of a potential security hole in
Pegasus Mail. 

Well, I'm the vendor. It's a shame Mr Ghory didn't give us a chance
to prepare for the wave of panic, dismay and inundation of mail
that a posting like this always provokes, but never mind.

Firstly, I'll do the responsible thing and admit that as far as I
can tell, this exploit is feasible. It takes advantage of the fact
that Pegasus Mail has a commandline interface that can be invoked
from within a web browser. Please note that the URL as presented in
the report will not work correctly on the majority of systems -
Pegasus Mail requires the formal RFC1738 syntax for URLs containing
spaces. But if properly represented, it could produce the described
effect. 

My assessment of the risk involved in this exploit is that it is
moderate at worst. The hacker would need to have exact knowledge of
the layout of the victim's system, and would need to find some way
of enticing the victim to read a page containing the specific link
needed to activate the exploit. Furthermore, even if Pegasus Mail
is running, there will almost always be telltale indications to the
user that something has happened. It is worth stressing that this
vulnerability exists only in the case of links activated from a web
browser - Pegasus Mail already deals with internal mail-based
linkages like this. 

It is my belief that this exploit may have counterparts in other
mail programs. I suspect that any mail program that has a method
for being invoked from a browser may potentially have a
vulnerability along these lines. I say this not to produce FUD, but
in the hope that other developers will examine their code and
satisfy themselves that they are not at risk from this kind of
exploit. 

We currently have a replacement component in development which
handles the link between the browser and Pegasus Mail: this
component was developed primarily to deal with other non-security-
related problems, but I will add some code to it to detect links
that send files (something that should never happen in normal use)
and release it publicly as soon as is humanly possible.

I am not subscribed to BugTraq (I probably should be) - so I am
asking my spokesman on the list, Richard Stevenson, to post this
reaction to the list on my behalf (thanks Richard!). I would thank
Mr Ghory for bringing this to our attention, but he hasn't done so
yet. 

Cheers!

-- David --
Author/Owner, Pegasus Mail System.

Advise:

Always be very careful with opening attachments, even when you get them from people you trust. Each and every attachment is a potential risk for viruses. Update your virus scan program often!

Possible solution

You can provide some protection against this specific type of virus by going to:

Tools>Options>Viewers>Add
and setting: If the Attachment's file extension matches VBS
Run this program:
notepad.exe
Extension to use for temporary file: txt

Below you will find some more information about the virus:

1. Message posted to PM-WIN, PM-DOS and PM-NEWS on behalf of David Harris: (27-Aug-99).
2. More information and details of the virus (04-Sept-99)

If you have more information that should be placed on this page, please feel free to contact me by e-mail and I will make that information available.

From:    Andrew Morrow, Member of the Pegasus Mail Support Group.
Subject:  Virus Propagated by Pegasus Mail

Information about the virus is available from a number of makers of anti-virus products:

• http://www.sophos.com/downloads/ide/index.html#toadie
• http://www.symantec.com/avcenter/venc/data/termite.7800.html

The virus does not destroy data files but it can destroy infected program files if the timestamps of those files are changed. As well, infected programs will refuse to run between certain times of the evening (local time).

When an infected program is run, the virus attempts to propagate itself by looking for unsent Pegasus Mail messages and adding itself as an attachment to those messages. (We are still investigating the exact technique used by the virus, with an eye towards enhancing Pegasus Mail to detect an infected message and prevent it from spreading.) The people at Sophos have told us that the virus program often crashes while replicating, so the risk of infection appears to be quite low. As well, since the virus appears to look for *.PMW files to attach itself to, Pegasus Mail users on networks using Mercury or users with the "send mail at once" option enabled run a low risk of passing on the virus.

It is IMPORTANT to note that the recipient does NOT have to be using Pegasus Mail as their mail client in order for their machine to become infected. You should ALWAYS be careful about running executable attachments, even if they come from someone that you trust!

Please contact your favorite anti-virus software vendor for information on their products to both detect and remove this virus.

After some research we found the following information that we like to share with the Pegasus Mail for Dos and Windows users:

• When an infected program is run, the virus appears to look for the directory \PMAIL\MAIL.
• The virus puts a copy of TOADIE.EXE in \PMAIL\MAIL.
• It's unlikely that the virus will operate in a Version 3.x environment, but reports have come in that there are newer versions created that can use the 3.x versions.
• Due to the working of the virus it cannot propagate itself (yet!) when Pegasus Mail is used together with Mercury/nlm or Mercury/32 as no *.pmw files are created.

To read more about the TOADIE virus family, please visit the websites mentioned above and the following, which might have more recent information:

http://www.trendmicro.com/en/security/advisories/sa082799.htm