Problem solve Get help with specific problems with your technologies, process and projects.

How a virus is executed from Outlook's preview pane

How exactly does a virus execute itself just from previewing in Outlook Express? Does turning off the preview pane prevent this, and would this mean that you would have to delete it before you previewed it?

In the past month, I've received two e-mails that tripped my antivirus software wires. The message I got (I didn't write it down) was confusing. It said it found a virus and couldn't do anything about it. The e-mails contained attachments that I never opened, and I just deleted the e-mails. I also received two e-mails that were definitely viruses (I got a game for you and cool flash), and my antivirus did not detect. However, I just deleted them.

I am still up and running, no trigger event, do you think I could be infected?

I'll include links to the details as provided by Microsoft concerning this sort of vulnerability. I'm sure you'll understand if I don't tell you how the actual virus code works.

In an nutshell, when an e-mail that has been sent in HTML format is opened by Outlook Express, the Internet Explorer program is invoked to display the e-mail message properly in the mail client. Internet Explorer first examines the e-mail to determine the type of attachment. If the attachment is a normal non-executable file, IE will automatically render it in all its HTML graphical glory.

A virus can edit the e-mail's attachment information, tricking Internet Explorer into automatically executing the e-mail attachment if it was an executable file, by altering the MIME headers to make it appear that the attachment is not in fact an executable file.

Suffice to say that you should patch your copy of Outlook Express to remove this vulnerability from your system. Until you do so, your system is in a less secure state.

Get Microsoft info about a patch here.

More on this topic

  • Ask the Expert: Whether or not to use Outlook's preview pane
  • Tech Tip: Preview "pain"


This was last published in June 2002

Dig Deeper on Email and Messaging Threats-Information Security Threats