A password-stealing Trojan bombarded global email users over the weekend, leaving an unknown number exposed to a zero-day risk until Monday morning.

The PWSteal.Tarno.S Trojan, to give it its Symantec moniker, first appeared on Friday afternoon, and was subsequently reported in rising numbers in the early hours of Saturday. It increased dramatically in frequency throughout that day and Sunday.

According to e-mail managed services provider BlackSpider Technologies, it was only patched by a mainstream anti-virus vendor, Symantec, on Monday morning at 9.55am (GMT), leaving users exposed to its payload for over two days.

“You don’t normally see a whole industry asleep for a whole weekend,” commented BlackSpider CTO James Kay.

One company, Sophos, said it had issued a software update for its business users for it on Friday, not long after the malware was first discovered. Spokesperson Graham Cluley said it had accounted for up to 15 percent of malware traffic recorded by the company.

Symantec stopped short of denying that it had not brought out anti-virus updates until this morning. "Symantec's anti-spam solutions included a rule that would block this particular threat, maximising the protection for customers," the company said in a statement. Other vendors had not been reached at the time of going to press.

Techworld has confirmed that the password-stealing Trojan turned up in the email inboxes of many UK ordinary email users disguised as a service message from PayPal. BlackSpider’s assessment of it having been sent on 3.2 million occasions might actually be optimistic.

The Trojan initialises if the user clicks on an executable, which in turn downloads the main payload element of the program. From this point onwards it monitors for any one of a long list of word variables such as “password” every time Internet Explorer is run. If any one of these is noted, it attempts to steal the data.

PWSteal.Tarno.S - or Clagger-H to use the name given by Sophos - is the latest in a long line of Trojans that have attempted in recent months to exploit delays in anti-virus updates to maximise the number of victims. There is always some delay between a piece of malware appearing and an update being issued, but in this instance it appears possible that a number of providers have been caught off-guard.

The scam message is unusually well composed by the standards of these emails, though it makes one howling error in the email subject line by announcing to the recipient that “Your Account Temporally Limited”, an obvious giveaway.