ConMan Hack Trojan - Amiga Virus Encyclopedia


    Amiga Virus Encyclopedia    
    ConMan Hack Trojan

    ConMan-Hack trojan - (Iprefs)

    The archiv "hackt.lha" contains a fucking CONMAN trojan ! The archiv
    contains the file Hackt.exe, which is Turbo Squeezed.

    hackt.exe packed:   12692 Bytes
    hackt.exe unpacked: 12312 Bytes

    It installs a new process with the name CLI(0):console.device and
    writes a new file called C:Iprefs. This Iprefs is packed several
    times and uses the 4eb9 linker method to unlink some strange stuff.

    packed:    10820 Bytes
    unpacked:  14216 Bytes

    The "CLI(0):console.device" process will reset your machine after
    it wrote the new IPrefs file.

    The file  itself  contains an very  old IPrefs  and an, again packed,
    destructive  virus from  a guy  called CONMAN. It will try to destroy
    many sectors  by filling  them with the  word "CONMAN 1995". There is
    no rescue  for such sectors.  The destructive routine is just looking
    for "trackdisk.device", so no danger for harddiscs or so.

    The IPrefs file will install a new process called conman.device. This
    process contains  the  destruction  routine. VirusWorkshop is able to
    remove the dangerous DOIO() calls.

    The  ConMan viruses  were mostly  BBS hackers, now this guy reached a
    new dimension.  I got  yesterday a  phonecall from an  irritated user
    (someone of Krypton or so ?)  and he  told me  about his file. He got
    it from  a BBS in  Berlin,  which is thought to be  the homeplace  of 
    CONMAN. This guy told me that he had downloaded it around 6.4.1995,
    so this virus is on the wild.

    Removal: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
             Kickstart all others: VirusZ III, and also Xvs.library must be installed

    Test by Markus Schmall


Virum Help Team
Denmark & Canada
Copyright © All rights reserved