The emails contain a link that appears to lead to a PDF file, but instead directs victims to a malicious .SCR executable file served from a different domain said Craig Schmugar, threat researcher at McAfee Avert Labs, said in a blog post.
Clicking on the link launches the worm, which attempts to disable security software and send copies of itself to all the e-mail contacts of the victim, causing an e-mail storm.
The worm has hit several high profile organisations, such as NASA, clogging up their e-mail systems, according to US reports.
Employees have been advised not to click on the link contained in the e-mails and reminded of best security practices, such as not clicking on untrustworthy links.
McAfee said company IT administrators should filter out all e-mails containing links to .SCR files.
The security firm has released a tool to detect the threat and guidance on how to block mass e-mails containing a link to a virus infected .SCR file
The link included in the e-mails studied by McAfee is no longer live, but researchers said that multiple variants may be spreading.
Machines that are already infected may still attempt to propagate through e-mail and available network shares and removable media, they said.
The attack was able to bypass many security systems that block e-mails with executable files attached because it simply contains a link to a site hosting the worm.
The hosting site is a legitimate web host in the UK, which meant the entire web site could not be blocked, security experts said.
This story was first published by Computer Weekly