I received one of the first copies of a new style worm yesterday. Instead of mailing a copy of itself as an attachment, it mails a small HTML snippet, which is rendered as a blank body. The message content seems pretty innocuous; and the message doesn’t have any attachment which makes it an obvious candidate for filtering.
However, if the recipient is running Outlook (I don’t), and hasn’t applied security patches within the last 5 months or so, the act of opening the email and seeing the blank body triggers a web download of a short VBScript HTML application, which in turn downloads and runs the worm itself.
More about the new W32/Bagle-Q / W32/Bagle-R / W32.Beagle.O@mm / W32.Beagle.R@mm threat model:
Global Hauri Issues High Risk Warning on Fast-Spreading New Variations of Bagle Virus
Sophos warns of new twist in Bagle threat, as new variants emerge
Among other good suggestions, Sophos suggests blocking inbound and outbound port 81, which is used to download the bootstrap HTML application and worm. Fine and dandy for this particular incarnation of the beastie, but it would have been pretty easy for the author to have used port 80, the standard HTTP web port, instead, which would not be easy to block outbound.