When one of those files is played, a pop-up prompts the user to download a codec -- do so, and there comes the malware.
Once the malware arrives, the infected media files are able to further its spread via peer-to-peer file-sharing.
The source of the infection, according to Secure Computing, appears to be warez pirate software and software-key sites, which makes its subsequent spread vector a pretty safe badguy bet: users grabbing illegal warez are pretty likely to be P2Ping illegal (or, for that matter, legit, the malware doesn't care) content as well.
Like I said: human nature.
But coming on the heels of the P2P peek behind Justice Breyer's privacy robes, this is yet another reminder that small and midsize businesses need to get the word out to all their employees that piracy and, I recommend, P2P are absolutely prohibited on company equipment, networks and time.