A Trojan writer has been testing the response times of antivirus companies with malware that has been spammed out to over two million web users.

Managed security provider BlackSpider Technologies estimated that more than 2.4 million emails containing the Win32.small.cfg Trojan downloader were sent to UK businesses last night.

The malware was sent out in emails claiming to be about an unpaid invoice for a firm in Nottingham.

The message reads: 'Dear client! We are unable to obtain the bill payment from your bank account. We recently received a report of e-banking use associated with this account. As a precaution, we have limited access to your account in order to protect against future unauthorized transactions. You can check your transaction details in attachment.'

The attachment purporting to contain the invoice deposits the Trojan on the machine when opened.

The Trojan was spammed out from 9pm on 26 January and was specifically designed to exploit the time between a virus being released and antivirus vendors issuing a patch. The virus stopped shortly after Symantec responded at 0:45am on 27 January.

"This Trojan was successful in achieving what appears to be its main purpose of reaching as many inboxes as possible before the antivirus industry could react," said James Kay, chief technical officer at BlackSpider Technologies.

"Last year we saw many attempts to infect PCs during this 'window of exposure' and that trend looks set to continue in 2006.

"Businesses that are not using proactive intelligent threat prevention technology to tackle new viruses are leaving themselves at serious risk from infection, as this outbreak shows."