What it does: Downloader.EJD is a Trojan horse program that uses an updated version of an old trick: It's a false Microsoft security patch.

The actual Trojan horse program is separate from the mass-mailing that has been used to spread it, and it's the mailing that is most interesting. The From: address is spoofed as update@microsoft.com. The subject is What You Need to Know About the Zotob.A Worm. This is the body:

What You Should Know About Zotob
Published: August 14, 2005 | Updated: August 19, 2005 Severity VirusGreen

What the levels mean

Supported Software Affected
Windows All Version
Microsoft Security Advisory 899588
Zotob.A
Zotob.B
Zotob.C
Zotob.D
Zotob.E
Bobax.O
Esbot.A
Rbot.MA
Rbot.MB
Rbot.MC
Zotob is a worm that targets All Windows computers and takes advantage of a security issue that was addressed by Microsoft Security Bulletin MS05-039. This worm and its variants install malicious software, and then search for other computers to infect.

Important If you have installed the update released with Security Bulletin MS05-039, you are already protected from Zotob and its variants. If you are using any supported version of Windows, you are not at risk from Zotob and its variants.

Use the Microsoft Windows Malicious Software Removal Tool to search for and remove the Zotob worm and its variants from your hard drive.

This tool checks for and removes infections from Zotob.A through Zotob.E as well as Bobax.O, Esbot.A, Rbot.MA, Rbot.MB, and Rbot.MC. It also checks for and removes all versions of malicious software that the tool has been updated to remove.

And, most importantly, the attachment is named MS05-039.EXE. It is 21,229 bytes and is compressed with the MEW program.

When the attachment is executed, it first downloads a second Trojan program, Agent.AII, and executes it. This program downloads additional malware which logs keystrokes and accesses multiple web sites. It also attempts to modify the settings of security programs on the user's computer.

None of these programs display anything that the user can look for, so this attack is difficult to recognize.