The spam emails contain links to what are claimed to be CNN's Top 10 news stories and video clips.
However, clicking on any link launches a dialogue saying that the user has an obsolete version of Flash Player and needs to download an updated version, according to Sam Masiello, VP of MX Logic, a Denver security company.
MX Logic detected more than 160 million fake CNN spam messages transmitted within 48 hours earlier this week.
The dialogue goes into an endless loop if the user clicks the "Cancel" button to disallow the update, forcing victims to either kill their browser session or accept the download, he said.
If the user accepts the download of the fake Flash Player update, they don't get an updated version of that but instead receive a Trojan with any of several names, including Cbeplay.a, which then "phones home" to a malicious server to download and install yet more malware, according to Bulgarian security researcher Dancho Danchev.
On Tuesday, Danchev reported having discovered more than 1,000 hacked websites hosting the fake Flash Player malware.
Adobe is aware of the malware masquerading as a Flash Player update and it has warned users in a company security bog entry not to download updated versions of Adobe software from anywhere other than its own website.