My understanding is that this one (and its various clones) can perform their email propagation while being shown in the Preview panel, but their other nasty functions only happen if you open their attached file.
Let me add a few things that might help the search for truth here. I got it. 26 freaking times I got it. I use IE 4.72 with the preview pane. The virus did not activate on my machine, even though I had to “single click” on the paperclip icon to see the title of the virus. That said, security is very important to my IT guys, so they may have customized/modified my IE to make sure that auto-run things don’t happen; I wouldn’t know about such things. I will say that whatever they do or did worked perfectly. Even though we got over 200 copies of the thing cumulatively, and even though some people did open it, we never had to take down our mail server, and we only had to scrub all attachments for a few hours on Thursday night. Considering some of the stories coming out of our competitors, I imagine that the boys and girls in our IT department will get a little something extra in their stockings this Christmas. And I don’t get to whine anymore about our firewall being too thick to support RealPlayer.
As to why one might open the virus? Well, of the 26 copies of the virus I got, something like 20 were from people who send me email with an attachment every single day. That’s their job – to send me research reports from their firms, digests of morning meetings, financial filings, etc. And of course most mornings I just open the thing without looking at the file itself, since it is the same every morning (mostly PDF and TXT files, sometimes Word98, Excel98, occasionally slides in Powerpoint. Opening these things is part of my routine; I do it while reading the paper or talking on the phone so I can check them out later.
If I hadn’t had a morning meeting that prevented me from getting to the office until about 8:30, I would have done the same thing that day (by then we had also got the broadcast message explaining just how big a deal this was). And I would have got the virus.
I had never heard of a VBScript file that executed from the preview pane but without knowing for sure I have turned off my preview pane for the time being at least. I also have Outlook Express running the the Security mode for Restricted Sites.
I got this off Microsoft’s web site:
I don’t know that I trust MS any more than anyone else, but they say it isn’t going to run by itself.
Also, WGFF, if the script doesn’t run, nothing happens. If the script runs and you don’t have Outlook, the emails aren’t sent but everything else happens. That’s my understanding at least.
The question is if for sure you have to double-click it to make it run or if it will run by simply reading the mail or previewing it without opening the attachment.
Jim
hardcore, I must apologize for the hostile tone of my previous post. I was having a bad day. 
As far as proof that a visual basic script can run from outlook (by viewing the e-mail in the preview pane) without double-clicking on it, no, I’m sorry to see that I don’t have first-hand proof of that. game point to you! All I can offer is
[list=A]
[li]the reference above to the Computer Emergency Response Team, http://www.cert.org[/li][li]the first-hand experience of an ex-work colleague of mine, a network administrator at a company that uses Outlook, who affirms that it happened to him with the love-letter virus. I don’t know if he was running Windows NT, 95, 98 or 2000, so I can’t tell you much more than that.[/li][/list]
Arnold, no apologies necessary. I’m a little testy myself having dealt with multiple paranoid users and relatives for the past few days.
I examined the CERT site and I couldn’t find any mention of a configuration where the virus would run automatically in the preview pane. Nothing on any of the anti-virus sites either. I think the ComputerWorld writer was guilty of printing the story without fact-checking.
One point worth mentioning – if you have the option “Hide file extensions for known file types” checked in Explorer, you would see a file like “Readme.txt.vbs” as “Readme.txt” and may think it is safe to open it. The icon for the file would give it away, but many users wouldn’t know the difference. Be sure that option isn’t checked so you will always know what type of file you are running.
Yes, I do have a bias against poorly-written, insecure software with defaults specifically chosen to make it incredibly easy to write and spread viruses! The fact that this is an anti-Microsoft bias is coincidental.
I have done the research - have you? Try to get a script in any language you may desire, whether it be Python, Perl, tcl, bash, zsh, or csh, to run by default in a Unix environment just by clicking on it. At best you will see the script content load into a text editor such as vi or emacs, and at worst you will get a chance to pick an application to run it.
Also, for another view of exactly why this is Microsoft’s fault, which goes into much more detail on the exact security leaks that Outlook and the Windows Scripting host provide, but Unix and MacOS do not, take a look at http://slate.msn.com/Features/lovebug/lovebug.asp - but of course, it’s entirely possible that a part of the MSN network would have a “bias” too.
In the same way that a person who leaves a loaded gun in a baby’s crib is only guilty of not putting a firearm in a locked cabinet.
Remember it? Hell, I’ll even provide some cites for it!
That’s a description of the GNU/Emacs security hole that allowed an arbitrary text file to create elisp variables (which is the same as saying that it could run code - Lisp has almost no separation of program and data, at least in Emacsland). It’s dated September 14, 1988, and the simple change necessary to prevent automatic execution of the payload just by causing Emacs to load a file somehow managed to get made in the just shy of twelve years between then and now. 
As I said: active content is a solved problem, and people audit everything for this sort of hole. If Outlook wasn’t the only easy and effective vector for this sort of thing, it’d have already happened to some other mailer.
I’m not agin Microsoft because this is a new, and unexpected problem with the interaction of complex components. I’m agin them because this is an old and well-understood problem, which Unix people have been dealing with ever since someone said “You know, we could make this thing scriptable”, and yet they haven’t made the one-byte patch necessary to cripple Outlook as a vector for email viruses.
Also: MacOS has a scripting host that can drive almost all applications, AppleScript, and at least one AppleScriptable mailer. Where are the MacOS email viruses?
On mutations: mutations happen when somebody edits the virus. I could easily, for example, add “.xls” and “.doc” to the list of file extensions it looks for to overwrite. It would take me perhaps two minutes — and I don’t know Visual Basic. A more interesting modification, such as randomizing the subject lines and message text, would take me perhaps an hour with the VB reference manual.
On security: Microsoft Windows, like the Mac it emulates, launches programs or opens documents when you double-click them. This is a good choice for the file manager of a single-user workstation circa 1984; it is not a good choice for an email program on a networked communication appliance in 2000. I don’t know of any Unix email client (and there are more than 100) that has a convenient way to say “run the program included as an attachment in this message”, let alone uses the same command to do that and to, say, view a .gif file.
Unless you count Java, which is theoretically sandboxed so it can’t do any harm — and most Unix email clients won’t even autorun Java programs.
In any case, attachments should be processed in an OS-provided sandbox, not run with privileges to overwrite the whole filesystem. Unix normally does this to a limited extent by running all user stuff as that user, but that still means an email worm (say, one that exploited the holes in Pine’s default .mailcap from a few months ago) could overwrite all your files. There is experimental work to run this stuff in such a way that the OS prevents it from overwriting any files, no matter what kind of evil security holes are in your mail client — for example, Subterfugue and Janus. See http://atrey.karlin.mff.cuni.cz/~pavel/dipl/eng.html for some of the work in this area. I think it’s still a pain in the butt to actually use so far.
The security recommendations in section 7.4 and Appendix G of RFC 1341 — the first MIME standard, published in nineteen fucking ninety-two, and the first standard for attachments for Internet email — are blatantly violated by Outlook’s script-handling. If Microsoft’s programmers were professionals, they would be liable for malpractice.
Actually the problem with the preview pane was solved back in August in Win’98. If you had used Windows Update and did the critical updates you would not have to worry about things like the Bubbleboy virus being automatically executed. People don’t do the updates… that’s the real problem. Windows is a complex program, there are going to be bugs in it, the only way you deal effectively with it is to get the updates to deal with the bugs.
I’m no whiz at this like you guys are, but before I read this thread, my husband and I spent the whole day reloading after getting eaten by the “Mother’s Day” virus. My husband swore he only previewed the e-mail in question, yet it still got us. After reloading Windows 98, we went into Outlook/Tools/Options/Read. And there was a box, pre-checked, stating, “automatically download message when in preview pane.” We promptly UNCHECKED it. Am I missing something?
Saying that people not updating is the real problem is analogous to saying that people writing malicious viruses is the real problem. Both are facts of life that you have to deal with one way or another.
People don’t update Unix systems very often, either — but Unix has a much better record for security than Windows. People never update qmail because qmail is already secure. No security bugs have ever been found in it — although it’s a replacement for the widely-used sendmail program that was responsible for a large fraction of the Unix vulnerabilities over the last fifteen years. (To be fair, sendmail today is much better than it was.)
Microsoft’s defect rate is something like 17 bugs per thousand lines of code. There are software producers now (certified at SEI CMM level 5) whose defect rate is well under 0.1 bugs per thousand lines of code. There may not be a way to produce bug-free software, but there are ways to produce software that is orders of magnitude more bug-free than Microsoft’s.
qmail has had more than 0.1 bugs per thousand lines of code, if I remember correctly. But none of its bugs have been security-related. (I think there have been three bugs discovered.)
This is largely because qmail is designed around the principle of minimal privilege, which makes the chance that any particular bug will be a security hole much smaller.
qmail-level security can’t be retrofitted; it has to be built in from the beginning, starting from the requirements phase. “That bug is fixed in a more recent release” is not an acceptable excuse; as long as you keep adding features, fixing bugs in new releases will never give your customers a secure system — just a system they have to upgrade frequently.
All of this is sort of irrelevant to this virus. The fact that Outlook will infect your machine with a virus if you double-click on an attachment is not a bug — it’s a designed-in feature. It has been documented in Internet standards documents for at least eight years — since before any Microsoft products had Internet capabilities! — that this behavior is a security problem, but Microsoft’s Outlook team ignored this. Every other mail client that exists has guarded against this problem; Microsoft’s Outlook team disregarded common practice.
This was recklessly irresponsible, and it has made Microsoft’s customers very vulnerable to individual evildoers — not even very smart ones, at that. It has cost Microsoft’s customers billions of dollars. I think Microsoft should be liable for some part of the damages.