high
Summary
Summary
Action- More Information
| Detected by | All Sophos products |
|---|---|
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please read the instructions for removing worms.
Windows NT/2000
In Windows NT/2000 you will need to delete the following registry key for each user who ran the virus. The removal of this key is optional in Windows 95/98/Me.
At the Windows taskbar, select Start|Run. Type 'Regedit' and press return. The registry editor will open.
Before you edit the registry, you should make a backup. In the Registry menu, click on Export Registry File, in Export Range select All, then save your registry as Backup.
Each user has a registry area named HKEY_USERS\'code number indicating user'\. For each user locate the key:
HKU\code number\Software\Microsoft\
Windows\CurrentVersion\Run\Choke
and delete it if it exists.
Close the Registry Editor and restart your computer.
More Information
W32/Choke is a worm which attempts to send itself through the MSN Messenger instant messaging program.
The worm can send itself through MSN Messenger using a variety of filenames, including ShootPresidentBUSH.exe and Choke.exe along with the message 'President Bush shooter game that allows you to shoot Bush balzz hahaha'.
It copies itself to c:\choke.exe and sets a Registry key
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Choke
in order to run automatically when Windows is started.
When first executed the worm displays two dialog boxes.
The first dialog box says:
"This program needs Flash 6.5 to run!"
The second displays the message:
"Cannot run program!, Quiting"
The worm creates a file called about.txt in the root of the C: drive which contains the following text:
Choke , Copyright ® 1886 ... A MAD CHRISTIAN
---------------------------------------
Go talk swearwords about God
You all will die, stupid humans.
You fools didn't see what you have done
Bye slut, go talk shit about me.
(Call me a 'psychophatt', but I respect the Creator of life...)
' Consider your earth '
If MSN Messenger is installed, it will create three further copies of itself in the C:\ root directory. One will be called ShootPresidentBUSH.exe, another will be the MSN Messenger account user name with an EXE extension and the third will take the MSN Messenger account domain name with an EXE extension (for example HOTMAIL.EXE).
|
