
Email messages carry a photograph of gunman Cho Seung Hui and claim to link to a Brazilian movie website carrying footage of the campus shootings.
But clicking on the link downloads a malicious screensaver file which installs a banking spyware Trojan.
The Trojan attempts to steal passwords, usernames and other information from online bank users, opening the possibility for identity theft and allowing bank accounts to be raided by cyber-criminals.
"It is pretty sick that cyber-criminals use tragic events like this in their attempts to make cash, but sadly it is not the first time and unlikely to be the last," said Graham Cluley, senior technology consultant for Sophos.
"It is of paramount importance that everyone treats unsolicited emails with suspicion, and thinks twice before they run a unsolicited program or click on a link.
"Regular antivirus updates, firewalls, security patches and a good serving of common sense is a must."
Past malware and spam campaigns have taken advantage of headline breaking news stories such as Hurricane Katrina, the Indian tsunami and the terror bombings in London.