Microsoft Windows 9X
Microsoft Windows NT
Visual Basic 5.0
2003-05-30 (Referenced in source code)
This worm displayes a fake Yahoo! login prompt requesting your Yahoo! ID and password. By submitting the filled form, the worm sends an e-mail message with given credentials to all contacts from your address book.
When you launch the worm, it will put a infection marker in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion with name "System Signature" and data containing two numbers.
If you try to re-run the worm, it will quickly close the window, but it will stay active.
The worm may drop 2-3 files in StartUp folder for all users: CROCK.BAT, CROCK.SCR (hidden) and CROCK.EXE. Executables seem to be identical to the original copy of worm, but the batch file is different and doesn't seem to be properly formatted.
CROCK.BAT may contain the following text:
bat.CROCK by vAndEEd0 bat.crock crocko rocks how simple batch viruses are very cool, huh, I like to format c: /q vAndEEd0
The last line contains a command for quick formatting of C: drive. Take note that new line might not be displayed properly.
If you refuse to submit credentials, the worm sends an e-mail message with different message body:
Subject: Yahoo Game House Body: From the makers of Yahoo Game House, here is a new game from vAndEEd0! The Crock Yahooligans!
The attachment contains the same copy of the worm.
The worm will terminate processes that have the following names (separated by comma):
_Avp, Ackwin32, Anti-Trojan, Apvxdwin, Avconsol, Avkserv, Avnt, AVP MONITOR, AVPMON, Avsched32, Avwin95, Avwupd32, BLACKICE, Blackice, Esafe, F-Agnt95, Fprot, F-Prot, Fp-Win, F-STOPW, F-Stopw, IOMON98, Lockdown2000, N32scanw, NAI_VS_STAT, Nisum, Nmain, Normist, Nupgrade, Nvc95, Outpost, Padmin, Pavcl, Pavsched, Pavw, Pccwin98, Pcfwallicon, Persfw, POP3TRAP, Rescue, Safeweb, Scan, Serv95, Sweep, Tbscan, Vet95, Vscan40, Vshwin32, Webscanx, Wfindv32, Zonealarm
The worm will kill any process that uses these names, even if they are not related with anti-viruses.
worm.crock May 30, 2003 - vAndEEd0 Features: this is fake yahoo dialog box 1. mass mailer only if cancel 2. attempt reset cmos. in first tuesday of even month 3. register as service 4. hidden attribute at startup folder 5. drop simple bat infecting virus in startup folder 6. disable AV software 7. spread to network mail (MAPI recipients) yahoo password and username if ok 8. compile with p-code 9. used upx124 and crafted
Source code comments mention resetting CMOS and additional info that are not described on this page. This content was mostly written before the source code was seen and may require some additional updates.