Original URL: http://www.theregister.co.uk/2003/07/12/trojan_serves_porn_off_home/

Trojan serves porn off home PCs, not many dead

AOLers chief victims

By Thomas C Greene

Posted in Security, 12th July 2003 09:28 GMT

A new Trojan is turning Windows PCs into porn and spam relays, possibly as a means of harvesting credit card details, researcher Richard M. Smith has discovered.

At first it was suspected that the Trojan installs a Web server on the victim's machine from which the porn is served, but research by LURHQ indicates that it sets up a proxy which forwards the porn and x-rated spam and so keeps the originating server hidden.

Machines hosting the Trojan are not harmed in any way, but spam recipients who check out the porn on offer may become victims of fraud if they sign up for access using their credit cards.

The overall purpose appears to be establishing a semi-anonymous, distributed hosting scheme for malicious sites or for material that might invite retaliation from a Web host or the authorities, such as warez or child porn.

Only about two thousand home machines have been infected, but among them is a high proportion of AOL subscribers, implying that it may be spread via instant messaging. According to LURHQ it is easy to detect and defeat.

First, remove this registry key:

Software\Microsoft\Windows\CurrentVersion\Run\Login Service = wingate.exe

Then reboot the computer and remove this file:

%windir%\system32\wingate.exe.

The spam ads direct users to Russian porn sites chiefly, sometimes using servers that were involved in a recent Paypal scam, Smith notes. ®

Related Stories

Rise of the Spam Zombies
Trojan defence clears man of child porn charges
What's the difference between a viral attack and a scan?
Windows Root kits a stealthy threat
Mindjail worms way through IRC
Fizzer stealth worm spreads via KaZaA