Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Choke.B

Aliases: I-Worm/Choke.B, Win32/Jermsg.F, W32.Choke.Worm, Win32.HLLM.Choke.36864Win32/JerryMsg.A

Win32/Choke.B is a worm written in Visual Basic.  To spread it uses Microsoft Messenger (similar to ICQ).  It spreads as the file pic1324.exe with a size of 49152 bytes.  After its execution the following fake message reporting an error is displayed:

The worm stays active in memory as the process MsgSprd.  At the same time it creates the item MSN Messenger in the system registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and sets its value to the file with the worm.  By doing so it ensures that it will be activated again at the next system start.  Using Microsoft Messenger the worm sends a message to the user who had send a note to the owner of the infected computer.  The worm sends the text:

hey, want me to send my new pic?
i took it yesterday

If after sending this message the following reply arrives:

sure, yea, guess,ok,maybe,there, pweese? :),go,ok cool,

the worm sends its copy together with the message:

alright, here ya go i hope you like it

In the worm body other texts can be found:

I come in piece. My name is Jerry. The purpose of me is to spread. I'm not annoying, nor dangerous.
How to remove me:
Click Start, select Run. The Run dialog box pops up.
Type: msconfig The System Configuration Utility pops up.
Click the Startup tab at the top. In the list, find MsgSprd, Messenger, or pic1324, uncheck, press Apply, then press Ok.
Restart your computer Or press Ctrl - Alt -> Del, select MsgSprd from the list, then press End Task.
You may freely delete the files or the C:\Messenger1324 directory.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.