Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Choke.A

Aliases: I-Worm/Choke, W32/Choke.40960, W32.Choke.Worm, Win32.HLLM.Choke.40960

Win32/Choke.A is a worm written in Visual Basic.  It spreads in the Microsoft Messenger environment.  Its size is 40960 bytes.  For its activities it requires the presence of the library MSVBVM60.DLL.  When spreading by means of Microsoft Messenger the worm uses the filenames ShootPresidentBUSH.exe or choke.exe.  After the file containing the worm is run Win32/Choke.A copies itself into the root directory on the disk C: under the name choke.exe.  The worm ensures its activation after a system restart by creating an item with the name Choke in the key of the system registry HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.  It sets the value of this item to C:\choke.exe -blahhh.  After its execution the worm displays gradually two windows with fake messages about errors:

The worm creates the file C:\about.txt containing the following text:

Choke , Copyright « 1886 ... A MAD CHRISTIAN
---------------------------------------
Go talk swearwords about God
You all will die, stupid humans.
You fools didn't see what you have done
Bye slut, go talk shit about me.
(Call me a 'psychophatt', but I respect the Creator of life...)
' Consider your earth '

After that the worm sends through the gate paper.icq.com a message with the text "Micro$oft invites you to use MSN Messenger!" to random users.  As sender of the message is given George.W.Bush@whitehouse.gov.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.