ConMan-Hack trojan - (Iprefs) The archiv "hackt.lha" contains a fucking CONMAN trojan ! The archiv contains the file Hackt.exe, which is Turbo Squeezed. hackt.exe packed: 12692 Bytes hackt.exe unpacked: 12312 Bytes It installs a new process with the name CLI(0):console.device and writes a new file called C:Iprefs. This Iprefs is packed several times and uses the 4eb9 linker method to unlink some strange stuff. packed: 10820 Bytes unpacked: 14216 Bytes The "CLI(0):console.device" process will reset your machine after it wrote the new IPrefs file. The file itself contains an very old IPrefs and an, again packed, destructive virus from a guy called CONMAN. It will try to destroy many sectors by filling them with the word "CONMAN 1995". There is no rescue for such sectors. The destructive routine is just looking for "trackdisk.device", so no danger for harddiscs or so. The IPrefs file will install a new process called conman.device. This process contains the destruction routine. VirusWorkshop is able to remove the dangerous DOIO() calls. The ConMan viruses were mostly BBS hackers, now this guy reached a new dimension. I got yesterday a phonecall from an irritated user (someone of Krypton or so ?) and he told me about his file. He got it from a BBS in Berlin, which is thought to be the homeplace of CONMAN. This guy told me that he had downloaded it around 6.4.1995, so this virus is on the wild. Test by Markus Schmall [Go back]