The Birmingham university researchers say that the malware - rated as one of the most pervasive in the US for some time by Network World - is currently infecting 3.6 million PCs in the US.
Gary Warner, director of forensics with the university, says that the fake postcards ask users to click and download to view the contents, and as soon as that click is made, the Zeus Bot malware has infected their computers.
"Once on a user's computer, Zeus Bot will give cybercriminals access to passwords and account numbers for bank, e-mail and other sensitive online accounts," he said.
According to Warner, hackers are using the fake Internet postcards as the latest mechanism to download the virus software onto unwitting users' computers.
Once the virus is on a computer, he said, it becomes a part of the Zeus Botnet and is able to steal Web site data from victims.
The malware uses a graphical user interface to keep track of infected machines throughout the world and is equipped with tools that allow the criminals to prioritize the banks and related stolen accounts they want to strike, Warner said.
"These messages are standard in their design and carry a subject line that indicates they come from the Web site 1001 Postcards," he explained.
"In this case and when it comes to messages that are supposedly from your bank, eBay or any other site, don't click on the links in an email," he said.
"Instead, type the address for the site that the message is coming from into your Web browser and log in as you normally would. If the site has an important message for you, you'll be able to find it," he added.