Pegasus Mail and Viruses.


Updated 28-Jul-2007.

07-Oct-2000
A message on the BUGTRAQ list tells of "an exploitable file reading vulnerability in the default setup of Pegasus Mail".
The link is shown dead now....

Here is David Harris's reaction:

---------- Forwarded message ----------

Mr Ghory has posted an announcement of a potential security hole in
Pegasus Mail. 

Well, I'm the vendor. It's a shame Mr Ghory didn't give us a chance
to prepare for the wave of panic, dismay and inundation of mail
that a posting like this always provokes, but never mind.

Firstly, I'll do the responsible thing and admit that as far as I
can tell, this exploit is feasible. It takes advantage of the fact
that Pegasus Mail has a commandline interface that can be invoked
from within a web browser. Please note that the URL as presented in
the report will not work correctly on the majority of systems -
Pegasus Mail requires the formal RFC1738 syntax for URLs containing
spaces. But if properly represented, it could produce the described
effect. 

My assessment of the risk involved in this exploit is that it is
moderate at worst. The hacker would need to have exact knowledge of
the layout of the victim's system, and would need to find some way
of enticing the victim to read a page containing the specific link
needed to activate the exploit. Furthermore, even if Pegasus Mail
is running, there will almost always be telltale indications to the
user that something has happened. It is worth stressing that this
vulnerability exists only in the case of links activated from a web
browser - Pegasus Mail already deals with internal mail-based
linkages like this. 

It is my belief that this exploit may have counterparts in other
mail programs. I suspect that any mail program that has a method
for being invoked from a browser may potentially have a
vulnerability along these lines. I say this not to produce FUD, but
in the hope that other developers will examine their code and
satisfy themselves that they are not at risk from this kind of
exploit. 

We currently have a replacement component in development which
handles the link between the browser and Pegasus Mail: this
component was developed primarily to deal with other non-security-
related problems, but I will add some code to it to detect links
that send files (something that should never happen in normal use)
and release it publicly as soon as is humanly possible.

I am not subscribed to BugTraq (I probably should be) - so I am
asking my spokesman on the list, Richard Stevenson, to post this
reaction to the list on my behalf (thanks Richard!). I would thank
Mr Ghory for bringing this to our attention, but he hasn't done so
yet. 

Cheers!

-- David --
Author/Owner, Pegasus Mail System.

04-May-2000
The Internet world has been waken up by a new virus called "ILOVEYOU". This virus is a Visual Basic Script that will distribute itself to all addresses in an Outlook address book and after being able to contact a web site, will destroy files on disk.
The virus is extremely dangerous, for all Windows(r) computers despite of what e-mail client is used. Once the attachment is opened the virus is on your computer.
The virus will be active when the VIEW button is used in the message. The virus cannot spread itself using Pegasus Mail, but can infect any Outlook program you have installed.

Advise:

Always be very careful with opening attachments, even when you get them from people you trust. Each and every attachment is a potential risk for viruses. Update your virus scan program often!

Possible solution

You can provide some protection against this specific type of virus by going to:

Tools>Options>Viewers>Add
and setting: If the Attachment's file extension matches VBS
Run this program:
notepad.exe

Extension to use for temporary file: txt


04-September 1999:
Recently a new virus family has popped up: TOADIE. This virus uses Pegasus Mail to propagate itself.

Below you will find some more information about the virus:

  1. Message posted to PM-WIN, PM-DOS and PM-NEWS on behalf of David Harris: (27-Aug-99).
  2. More information and details of the virus (04-Sept-99)

If you have more information that should be placed on this page, please feel free to contact me by e-mail and I will make that information available.


From:    Andrew Morrow, Member of the Pegasus Mail Support Group.
Subject:  Virus Propagated by Pegasus Mail

Information about the virus is available from a number of makers of anti-virus products:

The virus does not destroy data files but it can destroy infected program files if the timestamps of those files are changed. As well, infected programs will refuse to run between certain times of the evening (local time).

When an infected program is run, the virus attempts to propagate itself by looking for unsent Pegasus Mail messages and adding itself as an attachment to those messages. (We are still investigating the exact technique used by the virus, with an eye towards enhancing Pegasus Mail to detect an infected message and prevent it from spreading.) The people at Sophos have told us that the virus program often crashes while replicating, so the risk of infection appears to be quite low. As well, since the virus appears to look for *.PMW files to attach itself to, Pegasus Mail users on networks using Mercury or users with the "send mail at once" option enabled run a low risk of passing on the virus.

It is IMPORTANT to note that the recipient does NOT have to be using Pegasus Mail as their mail client in order for their machine to become infected. You should ALWAYS be careful about running executable attachments, even if they come from someone that you trust!

Please contact your favorite anti-virus software vendor for information on their products to both detect and remove this virus.

Back to top.

More information and details of the virus

After some research we found the following information that we like to share with the Pegasus Mail for Dos and Windows users:

To read more about the TOADIE virus family, please visit the websites mentioned above and the following, which might have more recent information:

http://www.trendmicro.com/en/security/advisories/sa082799.htm

Back to top.

Back to Han's Linkpage