Dorris,

>Yes, we're very sure about that.
>and I always answer 'No' to the notification and then go view the mail in preview.

After reviewing the virus code, I can see how an infection can happen without opening the attachment. The virus sends an HTML version of the email message that hooks into the display's ONMOUSEOUT and KEYPRESS events.

This looks like email readers configured with a 3-pane display, which shows folders on the left, list of messages on the top, and a preview pane on the bottom, would actually render the HTML in the preview. Moving the mouse over the preview and out again would trigger the ONMOUSEOUT event and a KEYPRESS event could happen from a keystroke while the preview pane has focus.

Or opening the message and then hitting a key or moving the mouse out of the display area (such as to click the X to close the display) could trigger the virus code to run.

I may be missing something here, but I think I've read the code correctly, and I'm alerting my clients now to disable any 3-pane views they have configured -- just in case.

Comments, anyone?