A computer security firm said on Thursday it had discovered the first virus that uses music publisher Sony BMG's controversial CD copy-protection software to hide on PCs and wreak havoc.

Under a subject line containing the words "Photo approval," a hacker has mass-mailed the so-called Stinx-E Trojan virus to British e-mail addresses, said British anti-virus firm Sophos.

When recipients click on an attachment, they install malware, which may tear down the firewall and gives hackers access to a PC.

The malware hides by using software that is also hidden — software which is installed on Windows-based PCs when consumers play Sony BMG's copy-protected music CDs.

"This leaves Sony in a real tangle. It was already getting bad press about its copy-protection software, and this new hack exploit will make it even worse," said Sophos's Graham Cluley.

Sony BMG's spokesman, John McKay in New York, was not immediately available to comment.

Sony BMG, a joint venture between Tokyo-based Sony Corp. (SNE) and Gutersloh, Germany-based Bertelsmann AG, is distributing the copy-protection software on a range of recent music CDs by artists such as Celine Dion and Sarah McLachlan.

When the CD is played on a Windows personal computer, the software first installs itself and then limits the usage rights of a consumer. It only allows playback with Sony software.

The software sparked a class-action lawsuit against Sony BMG in California last week, claiming that Sony BMG had not informed consumers that it installs software directly into the "root" of their computer systems with rootkit software, which cloaks all associated files and is dangerous to remove.

Sophos said it would have a tool to disable the software later on Thursday.

The Sony BMG copy-protection software does not install itself on Macintosh computers or ordinary CD and DVD players.