"To the average computer user, the link in the email would seem perfectly legitimate as it points to YouTube.com, but if one were to hover the mouse over the URL, it would point to a numeric IP address," McAfee Avert Labs researcher Vinoo Thomas wrote today on the company's blog.
The attack uses HTML anchor tags to obfuscate the address, he wrote.
If an unsuspecting end-user clicks on the link, and their computers are updated with the latest patches, the typical storm worm exploit code runs on their PCs, according to a Websense Security Labs alert posted Saturday.
Should users be fully patched, they are routed to a page that requests they run the code manually.
"The malware author has used clever wordings on the webpage in order to entice users to manually download and launch the virus via good old social engineering," Thomas wrote.
Researchers have attributed the recent dramatic rise in spam to the storm worm, which first began appearing in January. The worm attempts to add compromised PCs to its botnet army. Spammers have customized their tactics to deliver the trojan in different ways, including as electronic greeting cards and news stories.
Click here to email reporter Dan Kaplan.