These popular devices are now so powerful that they've become computers in themselves, although people who buy them don't always realize that. And like computers, the frames are capable of carrying code that logs keystrokes, steals data and calls out to other malicious code once it's installed itself on a PC.

"Users don't realize that bad guys can make use of each and every computer they can control, even if you don't do Internet banking or have any sensitive information," said Karel Obluk, the chief technology officer of AVG, a security vendor with offices in the United States and Europe. "They can profit by spam or other illegal activities and make (your) PC part of an illegal network. It's something that users should always be reminded of."

No one knows how many infected digital photo frames are out there. But the Consumer Electronics Association estimated that 7.4 million such frames were sold in 2008 - up 41 percent from 2007 - and projected that sales would jump again this year by 33 percent to more than 9.8 million frames.

Among the frames reported to be infected this holiday season were a Samsung 8-inch frame sold by Amazon.com, an Element 9-inch frame sold by Circuit City and a Mercury 1.5-inch frame sold by Wal-Mart.

Amazon.com has e-mailed warnings to its customers about the Samsung frame, but a Circuit City spokesman said the retailer wasn't aware of any infections. After being contacted by The Chronicle, a Wal-Mart spokeswoman said the company would remove the Mercury frames from its Web site.

In 2007, Sam's Club - owned by Wal-Mart - also sold infected frames over the holidays, according to customers who bought them, as did Best Buy, Target and Costco.

American consumers shopped hard for bargains this year, and digital photo frames have been good deals. Wholesale prices continue to drop - Wal-Mart has been selling the Mercury frame, which comes embedded in a key chain, for $24.

But the infected frames also show how risky it is to live with a global supply chain where the cost of buying products at the lowest price means those products can vary widely in quality.

Exploiting Autorun

The Mercury photo frames sold by Wal-Mart, for example, were manufactured by Kobian, a company with headquarters in Singapore, factories in India and dedicated subcontract facilities in China, according to the company's Web site. No offices were listed in the United States, and Kobian could not be reached for comment.

Furthermore, although this year's crop of malicious code varied in its potential destructiveness - some of what reportedly was found on the frames was old code that was easily detected by antivirus software - it all spreads by taking advantage of a feature in Microsoft Windows called Autorun that makes digital frames and other electronic devices run automatically when they're plugged into a PC.

Microsoft turns on Autorun by default to make these devices easier to use, although security experts routinely tweak Windows so that Autorun is turned off.

Microsoft, however, advises against this. Turning off Autorun is not a simple step, said Ziv Mador, a senior program manager at Microsoft's malware protection center, and PC users who try it are likely to wind up confused.

"They're used to entering a CD (or plugging in a frame) and it loads automatically, and that will not work anymore," he said. "The important thing is to have up-to-date antivirus software and keep it turned on. That will mitigate much of the risk."

More devices, infections

Mador also recommends using electronic devices that come from known, reputable vendors.

Still, infections spread through Autorun are up sharply in the past six months, said Paul Ferguson, a security researcher at Trend Micro in Cupertino. Trend Micro is detecting hundreds of thousands of new infections every day, he said, although they're not all caused by digital photo frames.

In November, the Department of Defense banned the use of all removable storage devices in order to halt the spread of a worm on their networks, according to reports by military news services.

In May, infected memory sticks were accidentally handed out at a computer security conference run by Australia's national Computer Emergency Response Team.

"It was very embarrassing, but this stuff always needs to be suspect," Ferguson said.

One way to prevent these infections is for companies to get better control over their manufacturing processes, although that can be difficult to do. A single infected factory PC may infect 1 out of 100 frames, and some slip through quality assurance and onto retailers' shelves.

When a batch of frames is infected, it can be difficult to track down. Amazon had to delay warning its customers about the Samsung frames for more than two weeks, until Dec. 19, because the product recall that Samsung posted on its own Web site on Dec. 2 "was not sufficient for our customers' needs," a spokeswoman said.

Security software a must

For people who use digital picture frames - along with memory sticks, digital cameras, thumb drives and other devices that run by connecting to PCs - updated antivirus software is a must, along with software from vendors like Novashield, Threatfire and Sana Security that detects malicious code by studying its behavior on your PC, according to a Christmas Day posting by SANS, a group of security researchers in Bethesda, Md.

One recent purchaser of a digital photo frame isn't taking any chances. David Drake, a network engineer at NetTech Computer Services in Redondo Beach (Los Angeles County), said he bought an infected photo frame on the weekend before Christmas.

After he found and cleaned off the malicious code, he gave the frame to his parents, but said he won't let them download pictures to the frame by themselves. He will do it for them.

"If I'd left it up to my parents to load their own pictures, they probably would have destroyed their computer," he said. "With companies outsourcing and not being tight on quality, I think these infections are getting more common."

E-mail Deborah Gage at dgage@sfchronicle.com.

This article appeared on page C - 1 of the San Francisco Chronicle