FRISK Software International

Summary of W32/Choke
Alias:Choke, I-Worm.Choke, Win32.Choke, w32/Choke
Discovered: 1 Jun 2001
Infection Method:Via MSN-messenger instant messaging service
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
Choke is a worm that utilises MSN Messenger for spreading. It sends itself using filenames like 'ShootPresidentBUSH.exe', 'choke.exe' and '' as username.

Technical Description
When executed it copies itself to 'c:\choke.exe' and creates a key in the registry under

with the name 'Choke' and the value 'c:\choke.exe -blahhh' to ensure that it will be started at every system startup. After this it exits with and error message saying

'This program needs Flash 6.5 to run!' 
It creates a file 'c:\about.txt' with this content:

 Choke , Copyright  1886  ... A MAD CHRISTIAN
 Go talk swearwords about God
 You all will die, stupid humans.
 You fools didn't see what you have done
 Bye slut, go talk shit about me.
 (Call me a 'psychophatt', but I respect the Creator of life...)
 ' Consider your earth '
The worm sends messages to random ICQ users (using '') saying:

 'Micro$oft invites you to use MSN Messenger!'

Removal Instructions
To remove it it's enough to delete the file 'c:\choke.exe'. If it's locked exit to DOS first then delete it.

[Analysis: Gergely Erdelyi, F-Secure Corp.; June 2001]

Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:


perComp Verlag
(in German)