Content

PosX

Type
Program
SubType
Downloader
Discovery Date
07/15/2003
Minimum DAT
4279 (07/23/2003)
Updated DAT
4640 (11/30/2005)
Minimum Engine
5.1.00
Description Added
11/04/2003
Description Modified
11/04/2003 1:08 PM (PT)

Tab Navigation

Characteristics

This is not a virus or trojan. It is an application intended to download pornographic content from the Internet.

Application downloading

The user is most likely to come across this application via a small downloading component, that retrieves the main application from a hard-coded URL contained in the downloading component.

The downloading component is 8,192 bytes in size (UPX packed), and written in MSVC. It is likely to be named MSDOS.EXE . This component is detected by the specified engine/DATs as PosX.dldr.

When executed, it checks the system to see if it has been run before (by checking for certain URLs in Internet cache files). Assuming it has not, it proceeds to download a remote file, from the following server:

rp7.xxxposition.net

The remote file is saved to %WinDir% as WINLOGON.EXE .

Pornographic Image downloading

The downloaded WINLOGON.EXE serves to download various images from remote servers, saving them to the local machine with misleading filenames. These images were of a pornographic nature at the time of writing. This component is also written in MSVC, and is likely to be packed with UPX.

When run on the target machine, the application attempts to delete C:\MSDOS.EXE (presumably an attempt to remove the downloader component described above). The application will then add a Registry hook to run itself at system startup, for example:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "winlogon" = %WinDir%\winlogon.exe

The pornographic images are downloaded from the the following servers:

  • thesuperhzpcsite.com
  • xxxposition.net

They are saved to %WinDir% with filenames such as:

  • MSYNTHB.DLL
  • MSYNTHA.DLL
  • MSYNTHB2.DLL
  • MSYNTHA2.DLL
  • MSYNTH2.DLL
  • CNTRS.DLL

The detection of this type of file is not automatically activated. Users who would like to check for the presence of this kind of files on their system should run the command line scanner with the /PROGRAM switch.
Please note that VirusScan 7 has also an option, which enables users to detect this kind of program automatically (see below).

Aliases

Aliases

  • Backdoor.Hazzer (NAV)
  • TROJ_RSLOCAL.A (Trend)
  • TrojanDownloader.Win32.Femad.a