The data theft is carried out by a Trojan horse downloaded at the same time as CoolWebSearch and a mail zombie, Sunbelt said. Patrick Jordan, a Sunbelt employee, discovered the identity theft ring while researching a variant of CWS, which is a malicious program that hijacks Web searches and disables security settings in Microsoft's Internet Explorer Web browser.

The malicious code is hosted on a Web site that mainly hosts pornography, which Sites was unwilling to name. Users of Windows XP who have not installed Service Pack 2 are particularly vulnerable, as the code could be automatically downloaded without the user's knowledge, Sites said. Sunbelt is currently investigating whether users of earlier Windows versions, such as Windows 2000 and Windows ME, are also vulnerable.

"If you have an unpatched Windows machine, when you go to the URL it will automatically download everything from Web site, including the Trojan. All you have to do is type in the URL and you're hosed," Sites said.