Threat Description



Category: Malware
Type: Worm
Platform: W32
Aliases: Choke, I-Worm.Choke, Win32.Choke, w32/Choke


Choke is a worm that utilises MSN Messenger for spreading. It sends itself using filenames like 'ShootPresidentBUSH.exe', 'choke.exe' and '' as username.


F-Secure Anti-Virus with the latest updates detects and removes it. To remove it it's enough to delete the file 'c:\choke.exe'. If it's locked exit to DOS first then delete it.

Technical Details

When executed it copies itself to 'c:\choke.exe' and creates a key in the registry under


with the name 'Choke' and the value 'c:\choke.exe -blahhh' to ensure that it will be started at every system startup. After this it exits with and error message saying

'This program needs Flash 6.5 to run!'  

It creates a file 'c:\about.txt' with this content:

Choke , Copyright 1886  ... A MAD CHRISTIAN  ---------------------------------------  Go talk swearwords about God  You all will die, stupid humans.  You fools didn't see what you have done  Bye slut, go talk shit about me.  (Call me a 'psychophatt', but I respect the Creator of life...)  ' Consider your earth '  

The worm sends messages to random ICQ users (using '') saying:

'Micro$oft invites you to use MSN Messenger!'  

Technical Details:Gergely Erdelyi, F-Secure Corp.; June 2001


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More