"The affected e-mail clients are flawed in the way they handle the headers, allowing the attacker to hide and deliver a virus," said Valentijn Sessink, a consultant at Linux company Open Office VOF in Amsterdam.
The problem has been experienced with Outlook Express 5.5 and 6.0, Sessink said. Other versions of Outlook and Outlook Express may also be affected. The most recent version of Outlook Express is 6.0, which comes with Internet Explorer 6.0. Outlook Express for the Macintosh appears not to be affected.
Affected Outlook clients will interpret the manipulated code as a command to display an attachment, while clients that don't have the bug will only display a couple of squares in the subject field and indecipherable code in the body of the message. Server-based virus scanners that only scan attachments won't catch the virus because, technically speaking, it is not an attachment but a malformed header, Sessink said.
Users relying on server-based protection, for example in a company or at home where certain Internet service providers offer e-mail scanning, are at risk. Desktop antivirus protection will still catch the virus when the attachment is opened, Sessink said.
Alex Shipp, senior antivirus technologist at MessageLabs, which operates an e-mail virus scanning service, said that although his service would catch a virus hidden in the way described by Sessink, it is possible that other services wouldn't.
"Most of the antivirus vendors follow the Internet standards for e-mail when they develop their e-mail parsers. But Microsoft doesn't follow the standards. That means it is possible to create a specially crafted e-mail that will not be detected by all antivirus scanners, but it will be displayed by Outlook," he said.
Marius van Oers, virus research engineer with antivirus software vendor Network Associates agreed: Whether the hidden virus is caught depends on the configuration of the e-mail gateway scanner. If the system is set to scan every byte of the message, then even a hidden virus should be stopped, he said.
Sessink disclosed the bug on his Web site and in a publication on the Bugtraq mailing list, because Microsoft wouldn't acknowledge him, he said. Sessink details his findings on www.openoffice.nl/special_interest/outlookbug.html.
"I would have much preferred it if Microsoft had picked this up and solved the problem. Now I have to explain what is wrong with the software," he said, adding that he sent Microsoft several e-mail messages and also called once. Microsoft was first informed on 31 January, he said.
Microsoft is investigating the report made by Sessink, a spokesman said.