Crock.A

E-mail/Worm

Type

E-mail, Worm

Platform

Microsoft Windows 9X

Microsoft Windows NT

Source language

Visual Basic 5.0

File type

EXE (Host)

Author

vAndEEd0

Timestamp

2003-05-30 (Referenced in source code)

Aliases

Worm/Crock.2 (Avira)

Email-Worm.Win32.Crock (Kaspersky)

W32/Danvee@MM (McAfee)

Worm:Win32/Danvee.A@mm (Microsoft)

W32/Crock-A (Sophos)

W32.Danvee@mm (Symantec)

Intro

This worm displayes a fake Yahoo! login prompt requesting your Yahoo! ID and password. By submitting the filled form, the worm sends an e-mail message with given credentials to all contacts from your address book.

Re-launch prevention

When you launch the worm, it will put a infection marker in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion with name "System Signature" and data containing two numbers.

If you try to re-run the worm, it will quickly close the window, but it will stay active.

Startup

The worm may drop 2-3 files in StartUp folder for all users: CROCK.BAT, CROCK.SCR (hidden) and CROCK.EXE. Executables seem to be identical to the original copy of worm, but the batch file is different and doesn't seem to be properly formatted.

CROCK.BAT may contain the following text:

bat.CROCK by vAndEEd0
bat.crock
crocko rocks
how simple batch viruses are
very cool, huh, I like to 
format c: /q
vAndEEd0

The last line contains a command for quick formatting of C: drive. Take note that new line might not be displayed properly.

Refusal

If you refuse to submit credentials, the worm sends an e-mail message with different message body:

Subject:
Yahoo Game House

Body:
From the makers of Yahoo Game House, here is a new game from vAndEEd0!
The Crock
Yahooligans!

The attachment contains the same copy of the worm.

Process killing

The worm will terminate processes that have the following names (separated by comma):

_Avp, Ackwin32, Anti-Trojan, Apvxdwin, Avconsol, Avkserv, Avnt, AVP MONITOR, AVPMON, Avsched32, Avwin95, Avwupd32, BLACKICE, Blackice, Esafe, F-Agnt95, Fprot, F-Prot, Fp-Win, F-STOPW, F-Stopw, IOMON98, Lockdown2000, N32scanw, NAI_VS_STAT, Nisum, Nmain, Normist, Nupgrade, Nvc95, Outpost, Padmin, Pavcl, Pavsched, Pavw, Pccwin98, Pcfwallicon, Persfw, POP3TRAP, Rescue, Safeweb, Scan, Serv95, Sweep, Tbscan, Vet95, Vscan40, Vshwin32, Webscanx, Wfindv32, Zonealarm

The worm will kill any process that uses these names, even if they are not related with anti-viruses.

Features excerpt from source code comment

worm.crock
May 30, 2003 - vAndEEd0
Features: this is fake yahoo dialog box
1. mass mailer only if cancel
2. attempt reset cmos. in first tuesday of even month
3. register as service
4. hidden attribute at startup folder
5. drop simple bat infecting virus in startup folder
6. disable AV software
7. spread to network mail (MAPI recipients) yahoo password and username if ok
8. compile with p-code
9. used upx124 and crafted

Notes

Source code comments mention resetting CMOS and additional info that are not described on this page. This content was mostly written before the source code was seen and may require some additional updates.


Links

Article (VX Underground - rRlf #4 - Redemption)

Demo (Tom.K)

Demo - Revisited (Tom.K)

Description (Sophos)

Description (Microsoft)

Description (Trend Micro)

Description (Symantec)

Description (Dead) (Symantec)