New Bagle Worm Variant Can Run Without Launching Attachment:
"A series of new variants of the prolific Bagle worm has raised alarms in the security community through an innovative infection mechanism: The e-mail message in which the variants arrive may have no file attachment, and it's possible for a user to become infected without having to launch one. "

The message includes a Windows ActiveX control and uses a vulnerability announced and patched by Microsoft Corp. in August and another problem from last October. The most recent Cumulative Security Update for Internet Explorer also includes a fix for the more recently discovered flaw.

The ActiveX control does not contain the actual worm, according to McAfee Security. Instead, it creates and runs a VBScript on the system, which downloads and executes the worm from one of a list of IP addresses. According to McAfee, as of 06:45 PST on March 18, "The majority of the 590 IP addresses seen have been closed down. At the time of writing, 39 were still responding."

http://www.eweek.com/article2/0,1759,1550835,00.asp?kc=EWNWS031804DTX1K0000599