Email with an attachment called "server.exe" claimed to be an antivirus program for a virus called Pinkworm, but it was actually a trojan called SubSeven 2.0 Server.
The email was sent from a Japanese Hotmail account claiming to be
from Microsoft Japan Service. The email requests the recipient to run the attachment called "server.exe" which will protect the computer from the Pinkworm virus.

This program acts as the server application that allows a remote user to control and retrieve information from your system. Some of the capabilities include searching/retrieving/sending files, stealing passwords, changing the colors/resolution, playing sounds and changing the date/time.

This program will install itself into the Windows directory under a configurable name.
The default file name is KERNE1.EXE, but it can be configured
to any file name.
The program display a fake message during installation.
The text, buttons and icon in this message are also configurable. The default will display the following text:

Error
Out of system resources.

Once the server program is installed, the client program can access the server on a pre-defined port.
The remote user is notified that the server application has been installed on the your system. The server can send a page via ICQ, send a notification via IRC or send an e-mail message.

The default server program is 336,867 bytes in size, but it can be bound to another executable.

The server is executed upon Windows startup.
Either the Windows registry, WIN.INI or SYSTEM.INI is modified to run this program automatically or a RUN.EXE program is dropped in the Windows directory.
The registry is updated to execute the RUN.EXE program that, in
turn, starts the actual server program.

Deleted from the system.

Search for run.exe in the registry. If it appears as:

@="run.exe \"%1\" %*"

Delete the run.exe string from the registry value.

After:

@="\"%1\" %*"

Then deleted RUN.EXE file on the system.