You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

PornMagPass

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

PornMagPass downloads the following malware to the affected computer:

  • Adware/SpywareQuake.
  • Application/SpywareQuake. It is an antispyware program that warns users that their computer is infected with spyware and that it can only be deleted if this program is purchased.
  • Adware/SystemDoctor. It installs a BHO (Browser Helper Object) in Internet Explorer. This BHO redirects to a website, where users are warned that the website is supposedly being blocked by an adware. In order to solve the problem, users are suggested to purchase an error repairing program that pretends to search for the errors in the system and delete them.

 

In order to do so, it follows the routine below:

  • PornMagPass offers free access to several magazines for adults, which are hosted in websites that can only be accessed if it is installed.
  • If users decide to install PornMagPass, they are displayed the following EULA (End User License Agreement) agreement:

  • Once installed:
    - a key-shaped icon appears in the System Tray, which allows users to access several websites for adults:



    - it downloads the malware mentioned above to the affected computer.

Infection strategy 

PornMagPass creates the following files:

  • ISHOST.EXE in the Windows directory. This file downloads the adware programs SpywareQuake and SystemDoctor to the affected computer.
  • PORNMAG PASS.LNK in the Desktop, which is a shortcut to PornMagPass.

 

Additionally, it creates several files in the following directories:

  • In the Start menu, it creates a group of programs called PORNMAG PASS.
  • In the subfolder PORNMAG PASS of the  Program Files directory.

 

PornMagPass creates several entries in the following paths of the Windows Registry:

  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    ishost.exe = %windir%\ishost.exe
    where %windir% is the Windows directory.
    By creating this entry, PornMagPass ensures that it is run whenever Windows is started.
  • HKEY_CURRENT_USER\ Software\ PornMag Pass
  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Uninstall\ PornMag Pass

Means of transmission 

PornMagPass can be downloaded when visiting certain websites for adults, and from the website belonging to the company that has developed it.

Further Details  

PornMagPass is 20,580 bytes in size.