Content
W32/Choke.c.worm
- Type
- Virus
- SubType
- Internet Worm
- Discovery Date
- 08/08/2001
- Length
- 49,152
- Minimum DAT
- 4154 (08/15/2001)
- Updated DAT
- 4154 (08/15/2001)
- Minimum Engine
- 5.1.00
- Description Added
- 08/15/2001
- Description Modified
- 09/06/2001 1:49 PM (PT)
Tab Navigation
Characteristics
This worm spreads via Microsoft's MSN Messenger program. If MSN Messenger is not installed on the local system, the worm could install itself, but would fail to spread to others from that system.
W32/Choke.c.worm arrives as a Visual Basic application, via MSN Messenger. The filename is PIC1324.EXE. When run, the worm displays a message box entitled, "Error", which reads, "Cannot open file. May be corupted. Replace the file with a new one and try again".
The program proceeds by creating a registry run key, to load the worm at startup.
HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\MSN Messenger="%WormPath%\PIC1324.exe"
Once running, the worm will send itself to MSN Messenger users who chat with the infected user. The worm monitors all incoming messages.
Whenever the infected machine receives a message containing certain words, it sends itself to that user along with the following responses:
| Message Sent | Response |
| send | there |
| sure | |
| maybe | pweese ? :-) |
| i guess | i hope you like it |
| ok | alright, here ya go |
| yea | alright, here ya go |
| yes | alright, here ya go |
To encourage a victim to enter these words, occasionally, when a message is received the worm responds with the message:
hey, want me to send my new pic?
i took it yesterday
Symptoms
- Presence of the files: PIC1324.EXE
- Contacts stating that you've sent them a file when you did not
- Additionally the worm may attempt to create the file C:\Messenger1324\Brain\1Read Me.txt which contains the text:
I come in piece. My name is Jerry.
The purpose of me is to spread. I'm not annoying, nor dangerous.
How to remove me:
1) Click Start, select Run. The Run dialog box pops up.
2) Type: msconfig The System Configuration Utility pops up.
3) Click the Startup tab at the top. In the list, find MsgSprd, Messenger, or pic1324, uncheck, press Apply, then press Ok.
4) Restart your computer Or press Ctrl - Alt - Del, select MsgSprd from the list, then press End Task.
You may freely delete the files or the 'C:\Messenger1324' directory.
Method of Infection
This worm requires MSN Messenger to be running in order to spread. It arrives as an MSN Messenger, message attachment. If that attachment is accepted and run, the local system is then used to propagate the virus to others.
Removal
All Windows Users:
Use current engine and DAT files for detection and removal.
Manual Removal Instructions
-
Delete the registry key(s) as mentioned above
Information on deleting registry keys
Restart the computer
Delete the files mentioned above
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- I-Worm.Newpic (AVP)
- TROJ_NEWPIC.A (Trend)
- W32.Annoying.Worm (NAV)
- Win32.Annoying (CA)
- Worm.JerryMsg.A (AVX)
Characteristics
Characteristics -
This worm spreads via Microsoft's MSN Messenger program. If MSN Messenger is not installed on the local system, the worm could install itself, but would fail to spread to others from that system.
W32/Choke.c.worm arrives as a Visual Basic application, via MSN Messenger. The filename is PIC1324.EXE. When run, the worm displays a message box entitled, "Error", which reads, "Cannot open file. May be corupted. Replace the file with a new one and try again".
The program proceeds by creating a registry run key, to load the worm at startup.
HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\MSN Messenger="%WormPath%\PIC1324.exe"
Once running, the worm will send itself to MSN Messenger users who chat with the infected user. The worm monitors all incoming messages.
Whenever the infected machine receives a message containing certain words, it sends itself to that user along with the following responses:
| Message Sent | Response |
| send | there |
| sure | |
| maybe | pweese ? :-) |
| i guess | i hope you like it |
| ok | alright, here ya go |
| yea | alright, here ya go |
| yes | alright, here ya go |
To encourage a victim to enter these words, occasionally, when a message is received the worm responds with the message:
hey, want me to send my new pic?
i took it yesterday
Symptoms
Symptoms -
- Presence of the files: PIC1324.EXE
- Contacts stating that you've sent them a file when you did not
- Additionally the worm may attempt to create the file C:\Messenger1324\Brain\1Read Me.txt which contains the text:
I come in piece. My name is Jerry.
The purpose of me is to spread. I'm not annoying, nor dangerous.
How to remove me:
1) Click Start, select Run. The Run dialog box pops up.
2) Type: msconfig The System Configuration Utility pops up.
3) Click the Startup tab at the top. In the list, find MsgSprd, Messenger, or pic1324, uncheck, press Apply, then press Ok.
4) Restart your computer Or press Ctrl - Alt - Del, select MsgSprd from the list, then press End Task.
You may freely delete the files or the 'C:\Messenger1324' directory.
Method of Infection
Method of Infection -
This worm requires MSN Messenger to be running in order to spread. It arrives as an MSN Messenger, message attachment. If that attachment is accepted and run, the local system is then used to propagate the virus to others.
Removal -
Removal -
All Windows Users:
Use current engine and DAT files for detection and removal.
Manual Removal Instructions
-
Delete the registry key(s) as mentioned above
Information on deleting registry keys
Restart the computer
Delete the files mentioned above
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
