[BrianG]

For a virus to send emails in a sender's friends list, the sender usually is the one that has some sort of virus. There is usually an image or some other document attached to it.

Ok, so let's say the attachment is an image. The image is usually named something like "vacation.jpg" and so the recipient downloads it. However, WindowsXP has a setting where it, in the default installation, hides file extensions for known file types. So, the "vacation.jpg" you just downloaded is actually "vacation.jpg.exe" but the "exe" part is hidden because it is a known file type. So, the user double-clicks on the "image" so they can view it, but instead inadvertently runs whatever code compiled in it since it is actually an executable.

One way to help prevent this type of thing is to show file extensions for ALL file types. Changing it is easy - in XP: Go to Control Panel -> Folder Options -> click the "view" tab -> uncheck the box labeled "Hide extensions for know file types" -> click "OK". All files will now show their real extension, not whatever someone named it.

It also helps to have whatever AV client you use to scan emails. Some even will scan files retrieved via a web-based system like Yahoo, gmail, hotmail, etc.