Threat Descriptions

Choke

Classification

Category :

Malware

Type :

Worm

Platform :

W32

Aliases :

Choke, I-Worm.Choke, Win32.Choke, w32/Choke

Summary

Choke is a worm that utilises MSN Messenger for spreading. It sends itself using filenames like 'ShootPresidentBUSH.exe', 'choke.exe' and 'George.W.Bush@whitehouse.gov' as username.

Removal

F-Secure Anti-Virus with the latest updates detects and removes it. To remove it it's enough to delete the file 'c:\choke.exe'. If it's locked exit to DOS first then delete it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

When executed it copies itself to 'c:\choke.exe' and creates a key in the registry under 

'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run'

with the name 'Choke' and the value 'c:\choke.exe -blahhh' to ensure that it will be started at every system startup. After this it exits with and error message saying 

'This program needs Flash 6.5 to run!'

It creates a file 'c:\about.txt' with this content:

Choke , Copyright 1886
... A MAD CHRISTIAN
---------------------------------------
Go talk swearwords about God
You all will die, stupid humans.
You fools didn't see what you have done
Bye slut, go talk shit about me.
(Call me a 'psychophatt', but I respect the Creator of life...)
' Consider your earth '

The worm sends messages to random ICQ users (using 'xxxxxxx@pager.icq.com') saying: 

'Micro$oft invites you to use MSN Messenger!'