It could've been email spoofing[1], where the attacker sends an email with a worm and makes it look like it was sent from a friend. Once the email is opened by the recipient, the worm sends a similar email to the recipient's contacts, which continues to spread the spam.
[1] http://en.wikipedia.org/wiki/E-mail_spoofing
reply