Having spent more time today deleting infected emails than actually working, I think I'm ready to move on to something else. Anything else. The worm didn't penetrate the defenses (thanks, Norton), but it was still a nuisance and a time waster.
Unfortunately, it wasn't enough for me to take my own precautions. Mail from the link on the company web site gets sent both to me and to Tim. Although I never open email attachments unless I know exactly what they are, Tim isn't that sophisticated around computers. He's a carpenter, which is an honorable profession, but it didn't prepare him for hacker treachery.
The way this worm spreads is kind of nasty. (But aren't they all that way? It's their nature.) If you open the attachment, the virus sends itself to a random contact from your address book, using one of those names as a fake return address. It's specifically designed so that the From address is not the address it's actually coming from. I've had a few automatically generated responses from various businesses, either telling me I've sent them an infected file or thanking me for my interest in their product.
Well, it wasn't me. It probably wasn't even Tim's computer that sent it out, but everything comes back to me as well as him. It's a vicious cycle, but it's the way the thing is supposed to work. There's no real comfort in that, nor in the fact that this is a third-party virus, and these messages could be coming from any computer that has my address in it.
And since the messages are being sent to the corporate address, I'm sure it has nothing to do with this site. Pretty sure, anyway.