Captcha systems typically use a selection of alphanumeric characters that have been distorted and presented in a graphic with other elements designed to confuse character-recognition software. The idea is that, as only a person can read it and type in the correct sequence, spam bots and other malware can be stopped from automatically setting up accounts.
The new threat was highlighted on Thursday by BitDefender Labs, which has dubbed it Trojan.Spammer.HotLan.A.
"The Trojan uses automatically generated accounts, suggesting that spammers have found a way to bypass the captcha systems," the company said in a statement.
Every active copy of the Trojan accesses an account, then pulls encrypted spam emails from a website, decrypts them and sends them to (presumably valid) addresses taken from yet another website, BitDefender continued.
Viorel Canja, head of BitDefender's antivirus labs, said there are "only" about 500 or so new accounts being created in this attack every hour, and 15,000-plus Hotmail accounts had already been used.
Yahoo could not be immediately contacted for comment.
The spam email currently being distributed is trying to lead users to a site that advertises pharmacy products. Common spammer techniques are used in the email body, added BitDefender.