ConMan-Hack trojan - (Iprefs)

      The archiv "hackt.lha" contains a fucking CONMAN trojan ! The archiv
      contains the file Hackt.exe, which is Turbo Squeezed.

      hackt.exe packed:   12692 Bytes
      hackt.exe unpacked: 12312 Bytes

      It installs a new process with the name CLI(0):console.device and
      writes a new file called C:Iprefs. This Iprefs is packed several
      times and uses the 4eb9 linker method to unlink some strange stuff.

      packed:    10820 Bytes
      unpacked:  14216 Bytes

      The "CLI(0):console.device" process will reset your machine after
      it wrote the new IPrefs file.

      The file itself contains an very old IPrefs and an, again packed,
      destructive virus from a guy called CONMAN. It will try to destroy
      many sectors by filling them with the word "CONMAN 1995". There is
      no rescue for such sectors. The destructive routine is just looking
      for "trackdisk.device", so no danger for harddiscs or so.

      The IPrefs file will install a new process called conman.device. This
      process contains the destruction routine. VirusWorkshop is able to
      remove the dangerous DOIO() calls.

      The ConMan viruses were mostly BBS hackers, now this guy reached a
      new dimension. I got yesterday a phonecall from an irritated user
      (someone of Krypton or so ?) and he told me about his file. He got
      it from a BBS in Berlin, which is thought to be the homeplace
      of CONMAN. This guy told me that he had downloaded it around 6.4.1995,
      so this virus is on the wild.



      Test by Markus Schmall


[Go back]