A Trojan horse differs from a virus in that it is a stand-alone program; the Trojan does not attach to another program. It differs from a worm in that it does not move from one computer to another on its own. A person must transfer it intentionally, such as by email.
For example, an attacker might email a Trojan with an innocous filename, attached to an email message that claims the program does something useful. When the user executes the attachment, it might modify or delete the content of the attacked machine (by deleting all files or formatting the hard disk). Newer Trojans also access networks, sometimes attacking them by flooding them with messages.
Typically, a Trojan horse is an executable code contained in e-mail attachments, usually in .exe, .scr, .bat, .pif and other pretended formats (but these extensions[?] might be "masked" behind false or additional extensions and however hide an executable program).
A prototypical Trojan horse is, for instance, a program called "SEXY.EXE" that is posted somewhere with a promise of "hot pix", but when executed erases all the files it can find and prints the message "arf, arf, I got you!".
It is prudent to always scan email attachments with updated antivirus software[?] before opening them. A typical Trojan does not infect other programs and is usually easily deleted.
See also Computer Security.