The virus is called BubbleBoy and was e-mailed to researchers at Network Associates, a US computer security company.
"This ushers in the next evolution in viruses. It breaks one of the long-standing rules that you have to open an e-mail attachment to become infected," said Network Associates spokesman Sal Viveros. "That's all changed now."
The researchers believed its threat is so serious that they notified the FBI, said Vincent Gullotto, director of the company's virus detection team. "This could be a watershed," he said.
Financial implications
Graham Cluley of Sophos Antivirus told BBC News Online: "BubbleBoy does not have a deliberate destructive payload but does e-mail itself to everyone in your address book.
"The Melissa virus only mailed the first 50 addresses and that traffic caused some companies to shut down their servers, losing business and real money."
Bubbleboy is not yet "in the wild" but it shows how easily a more destructive virus, which steals personal information or erases a hard disk, could enter a computer.
Mr Cluley said that if people had not patched Internet Explorer security holes or did not have up-to-date antivirus software, then BubbleBoy was unstoppable - if you see the e-mail in your inbox, then you are already infected.
Antivirus companies have been rushing to post upgrades to their software on their websites.
Don't even look
The virus affects computers running Microsoft's Windows 98, the web browser Internet Explorer 5.0 and the e-mail programs Outlook or Outlook Express. Some versions of Windows 95 are also affected but not Windows NT or Netscape programs.
Bubbleboy only requires that the e-mail be previewed on the inbox screen. As soon as this is done the virus infects the computer.
This happens because Outlook, and other programs like Eudora, convert any HTML code into formatted text. This action allows other code to be run, in this case releasing the virus.
The HTML conversion should not allow a virus to enter but two security holes in Internet Explorer, known since August, left a door open for hackers.
Microsoft "goof"
Mr Cluley said: "Microsoft has seriously goofed up again."
He said people should plug the holes with a Microsoft patch available on the web. They could then continue using MS software but avoid future exploitation of these holes by hackers,
A more straightforward way of avoiding BubbleBoy is to set Internet Explorer's security to High for the internet zone.
Bubbleboy is named after an episode of US comedy show Seinfeld and is just five kbytes in size. The email carrying it has the subject text "BubbleBoy is back!"
���
New virus spills your beans
(03 Aug 99 | Sci/Tech)
Back Orifice is child's play, say virus firms
(13 Jul 99 | Sci/Tech)
Computer virus takes its toll
(15 Jun 99 | Sci/Tech)
Chernobyl virus causes Asian meltdown
(28 Apr 99 | Sci/Tech)
Melissa virus goes global
(30 Mar 99 | Sci/Tech)
Sophos: BubbleBoy
Network Associates: BubbleBoy
Microsoft Internet Explorer security hole
Microsoft Internet Explorer security hole patch
The BBC is not responsible for the content of external internet sites.
World's smallest transistor
Scientists join forces to study Arctic ozone
Mathematicians crack big puzzle
The growing threat of internet fraud
(From Business)
Who watches the pilots?
Cold 'cure' comes one step closer
(From Health)