Here is David Harris's reaction:
---------- Forwarded message ---------- Mr Ghory has posted an announcement of a potential security hole in Pegasus Mail. Well, I'm the vendor. It's a shame Mr Ghory didn't give us a chance to prepare for the wave of panic, dismay and inundation of mail that a posting like this always provokes, but never mind. Firstly, I'll do the responsible thing and admit that as far as I can tell, this exploit is feasible. It takes advantage of the fact that Pegasus Mail has a commandline interface that can be invoked from within a web browser. Please note that the URL as presented in the report will not work correctly on the majority of systems - Pegasus Mail requires the formal RFC1738 syntax for URLs containing spaces. But if properly represented, it could produce the described effect. My assessment of the risk involved in this exploit is that it is moderate at worst. The hacker would need to have exact knowledge of the layout of the victim's system, and would need to find some way of enticing the victim to read a page containing the specific link needed to activate the exploit. Furthermore, even if Pegasus Mail is running, there will almost always be telltale indications to the user that something has happened. It is worth stressing that this vulnerability exists only in the case of links activated from a web browser - Pegasus Mail already deals with internal mail-based linkages like this. It is my belief that this exploit may have counterparts in other mail programs. I suspect that any mail program that has a method for being invoked from a browser may potentially have a vulnerability along these lines. I say this not to produce FUD, but in the hope that other developers will examine their code and satisfy themselves that they are not at risk from this kind of exploit. We currently have a replacement component in development which handles the link between the browser and Pegasus Mail: this component was developed primarily to deal with other non-security- related problems, but I will add some code to it to detect links that send files (something that should never happen in normal use) and release it publicly as soon as is humanly possible. I am not subscribed to BugTraq (I probably should be) - so I am asking my spokesman on the list, Richard Stevenson, to post this reaction to the list on my behalf (thanks Richard!). I would thank Mr Ghory for bringing this to our attention, but he hasn't done so yet. Cheers! -- David -- Author/Owner, Pegasus Mail System.
Advise:
Always be very careful with opening attachments, even when you get them from people you trust. Each and every attachment is a potential risk for viruses. Update your virus scan program often!
Possible solution
You can provide some protection against this specific type of virus by going to:
Tools>Options>Viewers>Add
and setting:
If the Attachment's file extension matches VBS
Run this program:
notepad.exe
Extension to use for temporary file: txt
Below you will find some more information about the virus:
If you have more information that should be placed on this page, please feel free to contact me by e-mail and I will make that information available.
From: Andrew Morrow, Member of the Pegasus Mail Support Group.
Subject: Virus Propagated by Pegasus Mail
Information about the virus is available from a number of makers of anti-virus products:
The virus does not destroy data files but it can destroy infected program files if the timestamps of those files are changed. As well, infected programs will refuse to run between certain times of the evening (local time).
When an infected program is run, the virus attempts to propagate itself by looking for unsent Pegasus Mail messages and adding itself as an attachment to those messages. (We are still investigating the exact technique used by the virus, with an eye towards enhancing Pegasus Mail to detect an infected message and prevent it from spreading.) The people at Sophos have told us that the virus program often crashes while replicating, so the risk of infection appears to be quite low. As well, since the virus appears to look for *.PMW files to attach itself to, Pegasus Mail users on networks using Mercury or users with the "send mail at once" option enabled run a low risk of passing on the virus.
It is IMPORTANT to note that the recipient does NOT have to be using Pegasus Mail as their mail client in order for their machine to become infected. You should ALWAYS be careful about running executable attachments, even if they come from someone that you trust!
Please contact your favorite anti-virus software vendor for information on their products to both detect and remove this virus.
After some research we found the following information that we like to share with the Pegasus Mail for Dos and Windows users:
To read more about the TOADIE virus family, please visit the websites mentioned above and the following, which might have more recent information:
http://www.trendmicro.com/en/security/advisories/sa082799.htm