When recipients click on an attachment, they install malware, which may tear down a computer's firewall and give hackers access to a PC. The malware hides by using Sony BMG software that is also hidden - the software would have been installed on a computer when consumers played Sony's copy-protected music CDs.
"This leaves Sony in a real tangle. It was already getting bad press about its copy-protection software, and this new hack exploit will make it even worse," Sophos's Graham Cluley said.
Security software firm Symantec also discovered the first trojans to abuse the security flaw in Sony BMG's copy-protection software. A trojan is a program that appears desirable but actually contains something harmful.
The music publishing venture of Japanese electronics conglomerate Sony and Germany's Bertelsmann is distributing the copy-protection software on a range of recent music CDs.
When the CD is played on a Windows personal computer, the software first installs itself and then limits the usage rights of a consumer. It only allows playback with Sony software.
The software sparked a class action lawsuit against Sony in California last week, claiming that Sony has not informed consumers that it installs software directly into the "roots" of their computer systems with rootkit software, which cloaks all associated files and is dangerous to remove.
Sophos said it would have a tool to disable the copy protection software available.
Sony BMG made a patch available on its web site on Tuesday that rids a PC from the "cloaking" element that is part of the copy-protection software, while claiming that "the component is not malicious and does not compromise security".
The patch does not disable the copy protection itself.
The Sony copy-protection software does not install itself on Macintosh computers or ordinary CD and DVD players.