Trojan Horse

Printer Friendly Page

Discovered: February 19, 2004
Updated: April 20, 2010 4:20:07 PM
Also Known As: Trojan-Spy.HTML.Smitfraud.c [Kaspersky], Phish-BankFraud.eml.a [McAfee], Trj/Citifraud.A [Panda Software], generic5 [AVG]
Type: Trojan
Infection Length: Varies
Systems Affected: Windows

Trojan Horse is a detection name used by Symantec to identify malicious software programs that masquerade as benign applications or files.

Trojan horse programs pose as legitimate programs or files that users may recognize and want to use. They rely on this trick to lure a user into inadvertently running the Trojan. Often a Trojan will mimic a well known legitimate file name or pose as a particular type of file, like a .jpg or .doc file to trick a user.

Distribution of Trojans on to compromised computers occurs in a variety of ways. From email attachments and links to instant messages, drive-by downloads and being dropped by other malicious software. Once installed on the compromised computer, the Trojan begins to perform the predetermined actions that it was designed for.

Trojan horse is a generic name given to all Trojan programs and they can be further categorized by their primary payload functions and may generally includes the following types:

  • Backdoor.Trojan - a Trojan with a primary purpose of opening a back door to allow remote access at a later time.
  • Downloader - a Trojan with a primary goal of downloading another piece of software, usually additional malware.
  • Infostealer - a Trojan that attempts to steal information from the compromised computer.

Antivirus Protection Dates

  • Initial Rapid Release version February 19, 2004
  • Latest Rapid Release version October 17, 2019 revision 018
  • Initial Daily Certified version February 19, 2004
  • Latest Daily Certified version August 15, 2019 revision 002
  • Initial Weekly Certified release date February 19, 2004

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Technical Description

Trojan Horse is a detection name used by Symantec to identify malicious software programs that masquerade as benign applications or files.

Background information
Trojan horse programs are named after one of the most famous deceptions in history. In ancient Troy, the Greek army appeared to leave the war ravaged shores of Troy, but left a large wooden horse in what appeared to be a peace gift. Within the Trojan horse lay an elite group of Greek warriors, unbeknownst to the City of Troy. Once inside the City, the elite warriors quickly and efficiently performed their planned operation and captured the City.

Software Trojans masquerade as an application or file that entice a user to open it. A Trojan horse may copy itself on to the compromised computer, but it doesn't make copies of itself and spread like a virus which is a key difference between a Trojan and a virus. While most Trojans only execute their own malicious code, some Trojans may actually perform the actions of the file they pretend to be, but then they execute their own malicious code on the compromised computer. Other Trojans make it appear that they are performing the desired actions, but in reality do nothing but trigger their malicious routines.

Trojans arrive on to compromised computers in a variety of ways. These methods distribute the Trojan, often as rapidly as possible, so that the Trojan can maximize the opportunity to perform its main function in a large user population before they are detected by antivirus software.

One of the most common methods is for the Trojan to be spammed as an email attachment or a link in an email. Another similar method has the Trojan arriving as a file or link in an instant messaging client. These methods often rely on social engineering techniques to tempt the user to click on the link or open the file since many of these emails and instant messages appear to come from people the user knows. These techniques will play on a user's curiosity about the big new item such as a celebrity scandal, crisis, catastrophe, or major global event.

Another means of arrival includes a method called drive-by downloads. A drive-by download occurs when a user goes to a web site that is either legitimate, but compromised and exploited or malicious by design. The download occurs surreptitiously without the user's knowledge. Alternatively, the user is asked to update or add a video codec when at a malicious web site. When the user complies with this request, they inadvertently download a Trojan pretending to be the video codec.

Finally, a Trojan horse program can be dropped or downloaded by other malicious software or by legitimate programs that have been compromised or exploited on the compromised computer.

Just as each Greek warrior had his own task to perform in capturing Troy, there are several types of Trojans, each with particular functions. Some Trojans perform multiple functions and have the prefix of Trojan, while others are categorized by their main functions.

  • Backdoor Trojans are stealthy and allows remote access to the compromised computer by opening a back door.
  • Downloader Trojans are aptly named as they download additional files on to the compromised computer which may be additional malware or updates of the Trojan.
  • Infostealing Trojans gather confidential information from the computer and sends it to a predetermined location. This information can be financial, related to the compromised computer or user credentials for various web sites.

Who creates Trojans?
Trojan horse programs were once created by malware authors for an assortment of reasons, most especially the infamy of destruction and damage and to make a name for themselves by proving they could write malicious programs. Trojans are now generally created by malware authors with the intent of making a profit.

What happens after the Trojan is installed?
Once it is executed on the compromised computer, a Trojan horse program may create files and registry entries. It may copy itself to various locations. It may start a service or inject itself into processes and then carry out its primary functions.

What can Trojans do?
Trojans can perform a large variety of actions. Some Trojan actions that are most commonly seen include:
  • Distributed Denial of Service
  • Downloading files
  • Dropping additional malware
  • Disabling security-related programs
  • Opening a back door
  • Stealing confidential and financial information

Are there any tell-tale signs?
As deception is one of the hallmarks of Trojan horse programs, many will run with as much stealth as possible. This means that, in the majority of cases, there will not be any obvious tell-tale signs that they are running on a computer. There are some Trojans that may display messages or dialog boxes and some that may display picture files or open a text file.

What are the risks?

Damage from Trojans range from a relatively minimal risk of annoyance and nuisance to a high risk of destruction or loss to the user. Hidden files, modified registry entries and annoying but harmless displays of pictures or error messages are examples of some of the low risk actions associated with Trojans.

On the other end of the scale, the potential for identity theft is high and is a risk considered to be personally damaging to a user. Another high and potentially destructive risk is the opening of a back door that can allow a remote attacker access to the compromised computer to perform many actions, such as:
  • Create administrator accounts
  • Participate in a Distributed Denial of Service (DDoS)
  • Provide confidential computer information
  • Redirect GRE, TCP, HTTP, HTTPS, SOCKS4 and SOCKS5 traffic

What can I do to minimize the risks?
As a general rule, users should always run up-to-date antivirus software with real-time protection such as Norton Antivirus, Norton Internet Security, Norton 360 or Symantec Endpoint Protection . In addition, a firewall -- or better still, an Intrusion Prevention System (IPS) -- will help to block download activities initiated by these types of malicious programs. Program controls such as those found in Symantec Endpoint Protection can also help to prevent programs such as these from executing in the first place.

How can I find out more?

Advanced users can submit a sample to Threat Expert to obtain a detailed report of the system and file system changes caused by a threat.


Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.


You may have arrived at this page either because you have been alerted by your Symantec product about this risk, or you are concerned that your computer has been affected by this risk.

Before proceeding further we recommend that you run a full system scan . If that does not resolve the problem you can try one of the options available below.

If you are a Norton product user, we recommend you try the following resources to remove this risk.

Removal Tool

If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .

How to reduce the risk of infection
The following resources provide further information and best practices to help reduce the risk of infection.

If you are a Symantec business product user, we recommend you try the following resources to remove this risk.

Identifying and submitting suspect files
Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec.

Removal Tool

If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .

How to reduce the risk of infection
The following resource provides further information and best practices to help reduce the risk of infection.
Protecting your business network

The following instructions pertain to all current Symantec antivirus products.

1. Performing a full system scan
How to run a full system scan using your Symantec product

2. Restoring settings in the registry
Many risks make modifications to the registry, which could impact the functionality or performance of the compromised computer. While many of these modifications can be restored through various Windows components, it may be necessary to edit the registry. See in the Technical Details of this writeup for information about which registry keys were created or modified. Delete registry subkeys and entries created by the risk and return all modified registry entries to their previous values.

Writeup By: Angela Thigpen