Samsung did not specify how the malware got on the CD, or how it escaped its quality control checks.

Amazon's advisory identified the malware as "W32.Sality.AE," the name assigned by Other security vendors, such as McAfee Inc. and Trend Micro Inc., have pegged the malware with other names, including "W32/Sality" and "Troj_Agent.xoo," respectively. said W32.Sality.AE was a downloader, a malicious program that once installed, downloads even more malevolent attack code.

Most security companies said that the malware -- variously labeled "virus" and "Trojan" -- was first spotted in the wild last August, although some reported earlier variations as far back as mid-2007.

People who purchased a Samsung photo frame should download an updated -- and theoretically malware-free -- version of the from Samsung's support site, Amazon recommended.

Only users running Windows XP are at risk, Samsung and Amazon said; Windows Vista is immune.