Microsoft Word users should be extra careful about the files they download because hackers are exploiting an unpatched vulnerability in the popular word-processing software.

Yesterday, security vendor McAfee warned users about a Trojan program, called BackDoor-CKB!cfaae1e6, that secretly installs software on a computer. For the Trojan to work, however, hackers must first trick users into opening a malicious Word document. Once that has been done, though, the results can be nasty.

Unlike viruses and worms, Trojan programs do not make copies of themselves that keep spreading throughout the internet. Hackers directly distribute the programs, which are often disguised as useful or interesting downloads.

Once installed, the malware lets hackers "execute any external commands, download additional Trojans, capture desktop screen shots, monitor and record keystrokes or passwords", McAfee said in a statement on its website.

Symantec has confirmed that hackers are circulating the malware via malicious Word document email attachments. But at present its use is "limited to attacks against select targets," the company said in a note on its DeepSight threat analysis service.

Because users must download the malicious software in order to become infected, McAfee rates the risk of the Trojan as "low".

The Trojan works on Microsoft Word 2003, but causes Word 2000 to crash without installing the malware, Symantec said.

Microsoft executives were not immediately available to comment.