Cyber crime, which is classified as introducing any malicious software onto computers is growing into one of the largest illegal revenue-earning industries. It is so big that over the past year it has turned more money in than drug trafficking. The more recent attacks are moving away from large multipurpose attacks to small focused attacks. Of these attacks, phishing threats appear to be the most commonly used attack. This cyber crime is now ruled more by the professional mafia rather than single people attempting attacks. This makes the attacks worse and harder to detect. Cyber crime is steadily growing and now the professional crime community is taking over. Computer users are urged to be on guard now more than ever before.    

Details
Carbuncle.622

Carbuncle is a dangerous memory resident companion virus. It is the COM file 622 bytes of length. On execution it checks the system time, depending on current seconds value it either jumps to infection routine or calls the trigger function. In infection routine the virus creates the file CARBUNCL.COM with the READONLY and HIDDEN attributes and writes itself (622 bytes) into that file. If this file is present, the virus overwrites it if this file is not a READONLY one. If this file is READONLY, the virus tries to create and overwrite it but fails because it doesn’t check/clear the file attributes.
Then the virus searches for EXE files by using DOS functions FindFirst/FindNext and the mask “*.exe” and infects them. On infection this virus renames the EXE file to CRP and creates the batch companion file with the name of the infected program and BAT extension. As the result, after infection of one EXE file there are two files with the same name and CRP and BAT extensions. Of course, CARBUNCL.COM is in the same directory also.
The companion batch file contains six lines of DOS commands. If the file FILENAME.EXE was infected, the companion FILENAME.BAT contains these lines:
@ECHO OFF
CARBUNCL
RENAME FILENAME.CRP FILENAME.EXE
FILENAME.EXE
RENAME FILENAME.EXE FILENAME.CRP
CARBUNCL

If the user tries to execute some EXE program, it types the name of it and DOS searches for the corresponded file as it showed above. This EXE is absent because it was renamed to CRP, and DOS will execute BAT file, i.e. companion BAT virus.
On the first line of this BAT the virus disables DOS echoes, this is for more invisibility. The instruction of the second line calls the main virus body from CARBUNCL.COM file, the virus searches for not infected files and hits them. The lines from third till fifth force DOS to execute the infected EXE that is hidden by CRP extension. This file is renamed to EXE extension, then it is executed as EXE and then it is renamed back to CRP. And as the last action the BAT file executes the COM virus again.
If the current seconds value of system times is lesser or equals than 16, the virus calls trigger subroutine. This code searches for five first CRP files and overwrites them by the virus body. As the result these files are not recoverable and should be deleted. In another case they will spread the virus on execution.
The virus contains the internal text strings which are in use on searching for not infected files and on creating BAT companion:
*.crp
CARBUNCL.COM
BAT*.exe
CRP
@ECHO OFF
CARBUNCL
RENAME

It also contains the ‘copyright’ string:
PC CARBUNCLE: Crypt Newsletter 14

Details
Cara.1024

It is a harmless memory resident virus that affect .COM-files while DOS access to them. It contains some function against some other viruses:
if memory size is not divided to 10h then the virus type: “Virus es en memoria!”;
if some disk sectors contain the Boot-virus signature “Cara.1024″ writes into these sectors small program which type while booting: “Disco es infectado. Reemplaza “Boot”. Clandestino Auto- Reproductivo Anti-virus”.
The infector contains the text “CARA” and hooks INT 13h, 20h, 21h.

Details
Capicua.511

It’s a dangerous memory resident parasitic virus. It copies itself into the system buffer, hooks INT 21h and writes itself to the end of .COM-files that are executed. Sometimes it terminates the program instead of executing it. It contains the internal text string: “*CAPICUA*”.

Details
Caos.716

It’s a harmless memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of .COM-files that are accessed with DOS functions FindFirst and FindNext (on DIR command execution). The virus contains the internal text strings:
CAOS virii by WMÆ
Hoy en Dia, cualquier sentido que le puedas dar a la a vida no vale tanto
como para que esta merezca ser vivida.Virii Experimental, no es práctico

Details
Cantando.857

It is a not dangerous not memory resident encrypted parasitic virus. It searches for COM-files (except COMMAND.COM) and writes itself at their ends. It deletes the CHKLIST.MS files, displays the message:
* CaN_TaN_Do_v01 : “Onkos täällä kilttejä lapsia?-)” *

Details
Cannibal.1312

Cannibal.1312 is a dangerous memory resident encrypted parasitic virus. It hooks INT 10h, 28h, 2Fh, 4Ah and on INT 10h, 28h calls infects the file which performs that call. On infection the virus writes itself at the end of the files. It contains the bug and corrupts .EXE-files on infection. It creates the file
C:\VIRUS.$$$\cannibal.max

and writes the text into it:
_______________________________________
MAX CANNIBAL vers.1.04
(c)93 PAVLOVO CITY
_______________________________________
“_” = non displayable character.

The virus displays that text on INT 4Ah calls. It also contains the internal text strings:
AIDS
Mad Max

Details
Cannabis_II.1029

It is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are accessed. While installing, it also hits the COMMAND.COM file, while infecting COMMAND it does not increase its size but writes itself into the middle of the file.
The virus does not infect the files:
CL*.EXE, HW*.EXE, TB*.EXe, F-*.EXE, WC*.EXE, TK*.EXE

The virus contains the text string:
No! Cannabisall

Details
Cannabis

It’s a not dangerous memory resident floppy boot-sectors infector. It hooks INT 13h. It contains the word “Cannabis”. It also types:
Hey man, I don’t wanna work. I’m too stoned right nowall
Non-System disk or disk error
Replace and press a key when ready

Details
Candy.999

It is not a dangerous memory resident parasitic stealth virus. It hooks INT 21h and writes itself to the end of EXE files on writing to them (when files are copied or updated). The virus also has COM files infection routine, but fails to infect them because of a bug.
The virus does not manifest itself in any way. It contains the text strings:
Speak my name 5 times in front of a mirrorall
Candyman, Candyman, Candyman, Candyman, …
Written by T-2000 / Immortal Riot

Details
Cancerbero.Killer.670

This is a harmless memory resident virus. It hooks INT 21h, and writes itself to the end of COM files that are executed. It contains the text:
Killer by Cancerbero

Details
Cancerbero.1000

This is a dangerous non-memory resident parasitic virus. It searches for COM files, then writes itself to the end of the file. On the 30th of March, the virus erases the C: disk sectors, and displays the following message:
CANCERBERO

Details
Calu.2429

It is a dangerous nonmemory resident parasitic polymorphic virus. It searches for .COM files, then writes itself to the end of the file. The virus polymorphic decryption loop contains several not correct tricks, as a result depending on the system timer it cannot decrypt the virus body, and infected file halts the computer. The virus contains the texts:
[CALU]
Coding error: Too Drunk error !
I’m TOOSAD from Romania

Details
Cagliari family

These are very dangerous memory resident parasitic viruses. They hook INT 21h and write themselves to the end of .COM files that are executed. On May 1st they erase the FAT sectors on disks A, B, C, D and then display the message:
caGLiArI

The similar string is used by virus in its “Are you here?” call - while installing the virus calls INT 21h with AX=FFABh, the memory resident copy returns ‘CA’, ‘GL’, ‘IA’, ‘RI’ in registers AX,BX,CX,DX.

Details
Caesar

This is a harmless, non-memory resident encrypted parasitic DOS virus. It infects DOS EXE files and creates its “dropper” in the C:\WINDOWS directory.
When an infected file is run, the virus creates the infected CAESAR.EXE file (virus dropper) in the C:\WINDOWS directory and overwrites the WINSTART.BAT file with an instruction that will run the virus dropper. As a result, virus dropper is activated each time Windows is started up. The virus then returns control to the host program and does not infect any other files.
When the virus dropper takes control, it searches for *.EXE files on all drives and infects them. While infecting, it writes itself to the end of the file. The virus checks file names and avoids infecting the following files:
AN*, AD*, DR*, PR*, NC*, WI*
Because of its method of infection, the virus is functional only when Windows is installed exactly in the C:\WINDOWS directory.