Add a new danger to the many already lurking online: Open up the wrong music or video file and you could reveal all your passwords to Russian cyber-crooks.

The risk was discovered by researchers at San Jose, Calif.-based security firm Secure Computing. Here's how it works. Joe ComputerUser buys an illegal copy of a software program and heads online to get the verification code that will unlock the pirated software. That’s when a Trojan is downloaded onto Joe’s computer. The same Trojan might also be picked up from a file-sharing site, like Kazaa, that lets consumers exchange music and other content.

Joe doesn't know it, but that Trojan is infecting all his MP3 (music) and WAV (video) files. Then, Joe shares one of those files with a friend, who tries to play it. When he does, he gets a pop-up that says he has to download a "codec" (a compression/decompression algorithm) in order to play the file. Joe's buddy, excited to listen to the song Joe shared with him, doesn't think twice and allows the download. He doesn't know it, but he's been infected with malware that steals all his passwords and sends them to the Russian crime network mentioned above.

This particular Trojan is notable, says Christoph Alme, team lead for the Secure Computing’s antimalware research labs, because it infects existing files, such as Joe's own MP3s, that then serve to pass on the malware.

As nasty as this Trojan is, you can easily avoid it. Don't buy pirated software or download illegal music. And if a friend innocently sends you an MP3 or WAV file that says you need to download or install something in order to play it, deep-six the file instead. Above all, don't forget to make sure your security software is updated and running properly. Alme says most security-software providers are already wise to this new exploit.

—Donna Tapellini