I wish it was true that a virus had to be in an attachment. Microsoft, for some reason, wanted it otherwise.

The Outlook preview pane will automatically run any Javascript or VBScript that is in the main body of the message. As an exercise, some people at my workplace have demonstrated this.

I would strongly advise any Outlook Express user to do the following :
Click on Tools/Options...
Click on the Security tab
Set the Zone to be "Restricted Sites"
Click on Settings... (this will bring up a warning box, click OK to acknowledge it)
Click on Custom Level...
Set "Script ActiveX controls marked safe for scripting" to Disable
Set "Java permissions" to Disable Java

---PPRuNe Dispatcher