Trojans typically consist of two parts, a client part and a server part. When a victim (unknowingly) runs a Trojan server on his machine, the attacker then uses the client part of that Trojan to connect to the server module and start using the Trojan. The protocol usually used for communications is TCP, but some Trojans' functions use other protocols, such as UDP, as well. When a Trojan server runs on a victim’s computer, it (usually) tries to hide somewhere on the computer; it then starts listening for incoming connections from the attacker on one or more ports, and attempts to modify the registry and/or use some other auto-starting method.

Trojans differs from viruses and worms in that they don't replicate themselves, relying on a separate mechanism for distribution. Instead, their primary feature is that they masquerade as a legitimate program or offer something desirable (such as a
link for something free or interesting), but harbor a malevolent purpose.