Circulating as an Email, a fake message points people at a bogus Website that claims to host critical security updates.
But anyone downloading from the site will get a virus installed that opens a backdoor into their computer the program's creators can exploit.
Security firms and Microsoft urged users to ensure they visit legitimate sites when downloading updates.
Anti-virus firm Sophos spotted the Email which uses subject lines saying "Urgent Windows Update" and "Important Windows Update"
In the body of the message is a Web link that looks like it should link to the Windows Update Website but in fact links to a site controlled by the malicious hackers.
Anyone downloading the fake update on the bogus webpage will have their computer infected with the DSNX-05 trojan.
This opens a backdoor into the PC that could be exploited by the creators of the malicious program.
Anyone falling victim to this could leave computer owners vulnerable to identity theft or having their computer used to send spam, attack other sites or host dubious material.
Microsoft said it only sent Emails about security updates and incidents to those that have explicitly asked to be sent them.
Also it said it never sends out information about security problems before its Website has been updated with information about problems.
This means that if users cannot find information about security problems mentioned in an Email on the Microsoft site, they should be suspicious of the message.
Microsoft also urged users to type in the name of the Website they are trying to reach rather than use a hyperlink as these can hide spoof Websites.
"Users must be very careful to be sure they are going to the official update Websites, rather than just following links in Emails which have been sent by hackers," said Graham Cluley, senior technology consultant at Sophos.
Return to internet news headlines
View Internet News Archive