When opened the postcard unleashes the Clsldr.D and Divo.A trojan viruses, the latter capable of stealing personal details from online bank transactions.
"Because this email doesn't arrive with an attached file, some may believe it is harmless. But just visiting the web link on an unprotected computer puts it at risk of infection," said Graham Cluley, senior technology consultant at antivirus company Sophos. "The message is simple, don't trust everything you read on the internet, and ensure you are not putting your computer and its data in danger."
The email is getting through the filters of at least one major email services company and is a particular danger because of the increasing popularity of e-cards.
"There's a very real risk that some people will think one of these emails is from a long forgotten friend or work colleague and follow the link out of curiosity," said Cluley. "If you receive an unexpected virtual postcard it may prove wise to simply delete it."
In other spam news Finnish antivirus firm F-Secure is warning about a fake Microsoft security bulletin currently in the wild. It claims to be update MS05-39 but instead downloads a virus onto the users' computer.
"The link in the fake bulletin points to a hacked server located in ThePlanet's IP address space. The account in question already has its bandwidth limit exceeded. Which is probably a bad sign," said Mikko Hypponen, director of antivirus research, writing on the company's weblog. "As a sidenote, MS05-39 doesn't exist. The last real security update from Microsoft is MS05-34."