McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Choke (AVP)

• MSM/Psychopatt

• W32/Choke (Sophos)

• W32/Choke.gen.worm

• W32/Choke.worm

• W32/Choke.worm.gen

• Win32.Choke (CA)

Characteristics

This is the second known worm that spreads via Microsoft's MSN Messenger program. If MSN Messenger is not installed on the local system, the worm will install itself, but fail to spread to others from that system.

W32/Choke.a.worm arrives as a Visual Basic application, via MSN Messenger. The filename varies, but will always end in .EXE. When run, the worm displays a message box entitled, "Choke", which reads, "This program needs Flash 6.5 to run!". Clicking OK results in the display of another message box. This one is entitled "Run time error", and reads "Cannot run program!, Quiting"

The program proceeds in copying itself to the root directory of the current drive as CHOKE.EXE, [MSN Messenger account domain name prefix].EXE (ie. HOTMAIL.EXE), and [FIRST NAME of the MSN Messenger account user].EXE (ie. JOHN.EXE). Also created is the text file, ABOUT.TXT which contains the text:
Choke , Copyright ® 1886 ... A MAD CHRISTIAN

A registry run key is created to load the worm at startup. the "-blahhh" switch is used to suppress the dialog boxes:

HKCU\Software\Microsoft\Windows\CurrentVersion\
Run\Choke="C:\choke.exe -blahhh"

Once running, the worm will send itself to MSN Messenger users who chat with an infected user. When the file is sent, a message is sent along with it:

President bush shooter is game that allows you to shoot Bush balzz hahaha

The name of the attachment varies and may use one of the following:

ShootPresidentBUSH.exe
Choke.exe
[Sender's First Name].exe
Hotmail.exe

Symptoms

- Presence of the files: C:\CHOKE.EXE, and C:\ABOUT.TXT
- When attempting to send messages, a smiley face graphic is displayed rather than the intended text

Method of Infection

This worm requires MSN Messenger to be running in order to spread. It arrives as an MSN Messenger, message attachment with various filenames. If that attachment is accepted and run, the local system is then used to propagate the virus to others.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants

• W32/Choke.b.worm

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Choke (AVP)

• MSM/Psychopatt

• W32/Choke (Sophos)

• W32/Choke.gen.worm

• W32/Choke.worm

• W32/Choke.worm.gen

• Win32.Choke (CA)

Characteristics

Characteristics -

This is the second known worm that spreads via Microsoft's MSN Messenger program. If MSN Messenger is not installed on the local system, the worm will install itself, but fail to spread to others from that system.

W32/Choke.a.worm arrives as a Visual Basic application, via MSN Messenger. The filename varies, but will always end in .EXE. When run, the worm displays a message box entitled, "Choke", which reads, "This program needs Flash 6.5 to run!". Clicking OK results in the display of another message box. This one is entitled "Run time error", and reads "Cannot run program!, Quiting"

The program proceeds in copying itself to the root directory of the current drive as CHOKE.EXE, [MSN Messenger account domain name prefix].EXE (ie. HOTMAIL.EXE), and [FIRST NAME of the MSN Messenger account user].EXE (ie. JOHN.EXE). Also created is the text file, ABOUT.TXT which contains the text:
Choke , Copyright ® 1886 ... A MAD CHRISTIAN

A registry run key is created to load the worm at startup. the "-blahhh" switch is used to suppress the dialog boxes:

HKCU\Software\Microsoft\Windows\CurrentVersion\
Run\Choke="C:\choke.exe -blahhh"

Once running, the worm will send itself to MSN Messenger users who chat with an infected user. When the file is sent, a message is sent along with it:

President bush shooter is game that allows you to shoot Bush balzz hahaha

The name of the attachment varies and may use one of the following:

ShootPresidentBUSH.exe
Choke.exe
[Sender's First Name].exe
Hotmail.exe

Symptoms

Symptoms -

- Presence of the files: C:\CHOKE.EXE, and C:\ABOUT.TXT
- When attempting to send messages, a smiley face graphic is displayed rather than the intended text

Method of Infection

Method of Infection -

This worm requires MSN Messenger to be running in order to spread. It arrives as an MSN Messenger, message attachment with various filenames. If that attachment is accepted and run, the local system is then used to propagate the virus to others.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants -

• W32/Choke.b.worm