Details
CS.Gala

This is the first known virus to infect CorelDraw scripts. When this script is activated, it searches in the current folder for other CorelDraw scripts (*.CSC files), reads their data and gets names of the first infected and first non-infected scripts. Then it reads the virus code from the infected script and writes it to the beginning of victim non-infected script. The virus infects one script at a time, and after infection, it returns control to the original script commands.
While infecting, the virus uses the temporary file MALLORN.TMP: the virus renames the victim file to this name, creates its copy with a victim file name, and appends to it the original victim file code from a MALLORN.TMP file.
The virus manifests itself on June 6th - it displays the following message window:
GaLaDRieL ViRUS bY zAxOn/DDT
Ai! lauri” lantar lassi sêrinen!.
YLni ênãtime ve r?mar aldaron,
yLni ve linte yuldar v?nier
mi oromardi lisse-miruvãreva
Andêne pella Vardo tellumar
nu luini yassen tintilar i eleni
ãmaryo airet?ri-lirinen.
all.

The virus code also contains comments at the very beginning of the virus and at the very end of its code:
REM ViRUS GaLaDRieL FOR COREL SCRIPT bY zAxOn/DDT
REM END OF ViRUS GaLaDRieL bY zAxOn/DDT

The possibility of CorelDraw script infection is based on the fact that this application supports programs that are written in a script language that is very close to VisualBasic used in MS Office. The CorelDraw scripts, as well as scripts in other applications and macros in MS Office, are used to customize the application. The CorelDraw script language supports a set of instructions that is enough to copy one script code to another one, access disk files and as a result to create a virus.

Details
CS.Gala

This is the first known virus to infect CorelDraw scripts. When this script is activated, it searches in the current folder for other CorelDraw scripts (*.CSC files), reads their data and gets names of the first infected and first non-infected scripts. Then it reads the virus code from the infected script and writes it to the beginning of victim non-infected script. The virus infects one script at a time, and after infection, it returns control to the original script commands.
While infecting, the virus uses the temporary file MALLORN.TMP: the virus renames the victim file to this name, creates its copy with a victim file name, and appends to it the original victim file code from a MALLORN.TMP file.
The virus manifests itself on June 6th - it displays the following message window:
GaLaDRieL ViRUS bY zAxOn/DDT
Ai! lauri” lantar lassi sêrinen!.
YLni ênãtime ve r?mar aldaron,
yLni ve linte yuldar v?nier
mi oromardi lisse-miruvãreva
Andêne pella Vardo tellumar
nu luini yassen tintilar i eleni
ãmaryo airet?ri-lirinen.
all.

The virus code also contains comments at the very beginning of the virus and at the very end of its code:
REM ViRUS GaLaDRieL FOR COREL SCRIPT bY zAxOn/DDT
REM END OF ViRUS GaLaDRieL bY zAxOn/DDT

The possibility of CorelDraw script infection is based on the fact that this application supports programs that are written in a script language that is very close to VisualBasic used in MS Office. The CorelDraw scripts, as well as scripts in other applications and macros in MS Office, are used to customize the application. The CorelDraw script language supports a set of instructions that is enough to copy one script code to another one, access disk files and as a result to create a virus.

Details
Cryptor.2169

These are harmless nonmemory resident parasitic polymorphic viruses, their polymorphic engine is quite strong. They search for .COM files, then write themselves to the end of the file. The viruses do not manifest themselves in any way, they contain the text strings:
Cryptor.2169:
-= CrYpToR v1.0 =- (C)1995 by -Nigh+-$piri+-
[$UPD 1.0], $pirit’s Universal Polymorphic Device v1.0.
(C)1995 by -Nigh+-$piri+-

Cryptor.2852:
-= CrYpToR v1.5 =- (C)1996 by -Nigh+-$piri+-
[$UPD 1.5], $pirit’s Universal Polymorphic Device v1.5.
(C)1995-1996 by -Nigh+-$piri+-

Cryptor.3612:
-= CrYpToR v2.0 =- (C)1996 by -Nigh+-$piri+-
* BEST POLYMORPH-ENCRYPT VIRII IN WHOLE WORLD *
[$UPD 2.0], $pirit’s Universal Polymorphic Device v2.0.
(C)1995-1996 by -Nigh+-$piri+-

Details
Cryptor family

These are harmless nonmemory resident parasitic polymorphic viruses, their polymorphic engine is quite strong. They search for .COM files, then write themselves to the end of the file. The viruses do not manifest themselves in any way, they contain the text strings:
“Cryptor.2169″:
-= CrYpToR v1.0 =- (C)1995 by -Nigh+-$piri+-
[$UPD 1.0], $pirit’s Universal Polymorphic Device v1.0.
(C)1995 by -Nigh+-$piri+-

“Cryptor.2852″:
-= CrYpToR v1.5 =- (C)1996 by -Nigh+-$piri+-
[$UPD 1.5], $pirit’s Universal Polymorphic Device v1.5.
(C)1995-1996 by -Nigh+-$piri+-

“Cryptor.3612″:
-= CrYpToR v2.0 =- (C)1996 by -Nigh+-$piri+-
* BEST POLYMORPH-ENCRYPT VIRII IN WHOLE WORLD *
[$UPD 2.0], $pirit’s Universal Polymorphic Device v2.0.
(C)1995-1996 by -Nigh+-$piri+-

Details
Crypt.134

It is a very dangerous nonmemory resident encrypted virus. It searches for .COM files, then overwrites them. The virus contains the texts:
*.com Crypt

Details
Creeper.569

It is a dangerous nonmemory resident parasitic virus. It searches for .COM files and the C:\COMMAND.COM file, then writes itself to the end of the file. The virus deletes CHKLIST.* anti-virus database files, depending on the system time and date it loads new video fonts. The virus contains the text strings:
*.com c:\chklist.* c:\command.com
The Creeper Virus V2.0

Details
CrazyPunk.500

It is a harmless nonmemory resident encrypted parasitic virus. It searches for COM files, then writes itself to the end of the file. The virus contains the text strings in Russian and:
(C) Crazy Punk

Details
CrazyPriest.1416

It’s a dangerous not memory resident parasitic virus. It searches for .COM- and .EXE-files and writes itself to their ends. Depending on the system date it deletes the files on infection, erases MBR of C: disk and displays the messages in Russian and:
Hello i’m virus Crazy Priest !!!
HAPPY BIRTHDAY CRAZY !!!

It also contains the internal strings:
by CRAZY *.* COMMAND.COM

Details
CrazyEddie

It’s a memory resident very dangerous virus which searches for COM- and EXE-files and hits them by standard way. While starting it overwrites MBR of hard drive. It stays TSR when infected file started only. It crypts the contents of the directories and the files by using the difficult algorithm. It hooks INT 01h, 08h, 13h and contains the text “Crazy Eddie”.

Details
CrazyBytes.1418

This is a harmless memory resident encrypted parasitic virus. It hooks INT 21h, and writes itself to the end of COM and EXE files that are executed. The virus doesn’t infect files with sub-strings in the following names:
L386, RWEB, \WEB, TEST, AIDS, \AVP, SCAN, IVIR, DINF, MODE,
RMAT, KEYB, MORE, \SYS, SKEY, OICE, COPY, TBAV, VPRO, LITE,
PTSR

The virus contains the text string:
“Crazy bytes” version 1.00

Details
CrazyBoot

It’s a dangerous memory resident stealth virus. It hooks INT 13h and hits MBR of hard drive and boot sectors of floppies. On infection of floppies it saves virus body on wrong address and corrupts data files. Depending on its internal counters it displays the message:
Don’t PLAY with the PC !
Otherwise you will get in ‘DEEP,DEEP’ trouble !all
Crazy Boot Ver. 1.0

Details
Crazy.1402

These are harmless memory-resident stealth viruses that infect COM-files as a program is terminated (the Exit and Keep DOS functions), files are being searched (FindFirst and FindNext) or a file is closed. The viruses decreases the memory area allocated for DOS (the word at the address 0000:0413). They hook 12 DOS functions and use stealth mechanism: recover infected files as they are accessed. Upon installation the viruses create in RAM two own copies: operational and backup ones. On every call to the 1Ch interrupt (Timer Tick) “Crazy” viruses write their backup copies at the address of its operational copies and in such a way gets rid of debuggers. The viruses hook INT 1Ch, 21h and contain the text:
“Crazy.1402″ - Crazy imp. v1.5
“Crazy.1445″ - Crazy imp. v2.0

Details
Crawly.6624

It’s a not dangerous not memory resident companion virus that searches for .EXE-files and creates the companion .COM-files which contain the virus body. Sometimes it plays the tune and types: “The Creepy Crawly”.

Details
Crawler.545

These are harmless nonmemory resident encrypted parasitic viruses. They search for .COM files except COMMAND.COM, then write themselves to the end of the file. The viruses do not manifest themselves in any way, they contain the text strings:
Thank God for the bomb
Night Crawler , 11/1995
PS*.COM

Details
Crasher.659

This is a very dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the beginning of COM files that are opened. The virus contains the string:
(C) CRASHER X
On December 20th it erases C: drive sectors and displays the message:
Dear users !
Hapy new year !
*
/ / /_ * _*