ConMan Hack Trojan - Amiga Virus Encyclopedia


    Amiga Virus Encyclopedia    
    ConMan Hack Trojan

    ConMan-Hack trojan - (Iprefs)

    The archiv "hackt.lha" contains a fucking CONMAN trojan ! The archiv
    contains the file Hackt.exe, which is Turbo Squeezed.

    hackt.exe packed:   12692 Bytes
    hackt.exe unpacked: 12312 Bytes

    It installs a new process with the name CLI(0):console.device and
    writes a new file called C:Iprefs. This Iprefs is packed several
    times and uses the 4eb9 linker method to unlink some strange stuff.

    packed:    10820 Bytes
    unpacked:  14216 Bytes

    The "CLI(0):console.device" process will reset your machine after
    it wrote the new IPrefs file.

    The file itself contains an very old IPrefs and an, again packed,
    destructive virus from a guy called CONMAN. It will try to destroy
    many sectors by filling them with the word "CONMAN 1995". There is
    no rescue for such sectors. The destructive routine is just looking
    for "trackdisk.device", so no danger for harddiscs or so.

    The IPrefs file will install a new process called conman.device. This
    process contains the destruction routine. VirusWorkshop is able to
    remove the dangerous DOIO() calls.

    The ConMan viruses were mostly BBS hackers, now this guy reached a
    new dimension. I got yesterday a phonecall from an irritated user
    (someone of Krypton or so ?) and he told me about his file. He got
    it from a BBS in Berlin, which is thought to be the homeplace
    of CONMAN. This guy told me that he had downloaded it around 6.4.1995,
    so this virus is on the wild.

    Test by Markus Schmall


Virum Help Team
Denmark & Canada
Copyright © All rights reserved