Amiga Virus Encyclopedia
ConMan Hack Trojan
ConMan-Hack trojan - (Iprefs)
The archiv "hackt.lha" contains a fucking CONMAN trojan ! The archiv
contains the file Hackt.exe, which is Turbo Squeezed.
hackt.exe packed: 12692 Bytes
hackt.exe unpacked: 12312 Bytes
It installs a new process with the name CLI(0):console.device and
writes a new file called C:Iprefs. This Iprefs is packed several
times and uses the 4eb9 linker method to unlink some strange stuff.
packed: 10820 Bytes
unpacked: 14216 Bytes
The "CLI(0):console.device" process will reset your machine after
it wrote the new IPrefs file.
The file itself contains an very old IPrefs and an, again packed,
destructive virus from a guy called CONMAN. It will try to destroy
many sectors by filling them with the word "CONMAN 1995". There is
no rescue for such sectors. The destructive routine is just looking
for "trackdisk.device", so no danger for harddiscs or so.
The IPrefs file will install a new process called conman.device. This
process contains the destruction routine. VirusWorkshop is able to
remove the dangerous DOIO() calls.
The ConMan viruses were mostly BBS hackers, now this guy reached a
new dimension. I got yesterday a phonecall from an irritated user
(someone of Krypton or so ?) and he told me about his file. He got
it from a BBS in Berlin, which is thought to be the homeplace of
CONMAN. This guy told me that he had downloaded it around 6.4.1995,
so this virus is on the wild.
Test by Markus Schmall