Excavator
06-18-2001, 10:18 PM
I detected the virus w32/choke.worm virus but I can't seem to clean it or delete it. I have the latest McAfee Dat file which will detect but can't clean or delete it. any answers out there in cyberland. Excavator
Click to See Complete Forum and Search --> : Choke .worm virus
booya
06-18-2001, 10:52 PM
go on mcafee webpage and finds the virus in the virus list they might tell u how 2 clean it from there
socalgal
06-18-2001, 10:57 PM
http://www.symantec.com/avcenter/venc/data/w32.choke.worm.html
From Symantec:
W32.Choke.Worm
Discovered on: June 6, 2001
Last Updated on: June 13, 2001 at 09:58:04 PM PDT
This worm uses the MSN Messenger Service (MSNMS) program to replicate; it is the second worm that is known to do so. The worm itself does nothing more than replicate, and if it is executed on a computer that does not have MSNMS installed, it simply remains resident in memory without replicating.
Category: Worm
Infection Length: 40,960 bytes
Virus Definitions: June 6, 2001
Payload Trigger: None
Payload: None
Distribution:
Name of attachment: ShootPresidentBUSH.EXE
Size of attachment: 40,960 bytes
Target of infection: MSNMS users
Technical description:
This worm spreads itself as the file ShootPresidentBUSH.exe.
When executed, the worm does the following:
1. It becomes memory resident.
2. It creates the following files:
C:\Choke.exe (a copy of the worm).
C:\ShootPresidentBUSH.exe (a copy of the worm).
C:\About.txt (contains surrealistic expressions from the author).
C:\Dalist.txt (contains list of buddies that have already been given a copy of the worm).
3. It then displays the following messages:
[image - go to above link]
and
[image - go to above link]
4. After you click OK to these messages, you will not see any other output from this program. This could cause you to believe that the worm has terminated execution, when in fact it is still running on the system.
The worm hooks MSNMS in such away that when a buddy initiates a text conversation (for the first time) with an infected system, it sends the text message
President bush shooter is game that allows you to shoot Bush balzz hahaha
along with an invitation to download a file named ShootPresidentBUSH.exe. If the buddy declines, the worm will not take no for an answer, and tries repeatedly until the buddy accepts the invitation.
The worm remembers the names of the buddies who have already been sent a copy of it, and responds with a smiley face to every line typed by that person.
The worm may, under some conditions, create a value in the registry key
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
that references either of the executable files that it created on drive C.
This worm contains many bugs and may eventually cause the system to stop responding.
Removal instructions:
To remove this worm, end its task to stop it from running, delete any files detected as W32.Choke.Worm, and undo, if necessary, the change that it made to the registry.
To stop the worm from running:
1. Press Ctrl+Alt+Delete. The Close Program dialog box appears.
2. Select the program registered as Choke, and then click End task.
To delete the worm:
1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
3. Delete any files detected as W32.Choke.Worm
To edit the registry:
CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.
This document is available from the Symantec Fax-on-Demand system. In the U.S. and Canada, call (541) 984-2490, select option 2, and then request document 927002.
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
4. In the right pane, delete any values that point to either of the following:
C:\Choke.exe
C:\ShootPresidentBUSH.exe
5. Exit the Registry Editor.
--------------
I should add that if you do download Norton trial to get rid of this virus, you might want to uninstall, or at least close McAfee completely before installing and running Norton - just in case they don't play nice together.
McAfee has much less specific removal instructions http://vil.mcafee.com/dispVirus.asp?virus_k=99100&
Good luck
[This message has been edited by socalgal (edited 06-18-2001).]
From Symantec:
W32.Choke.Worm
Discovered on: June 6, 2001
Last Updated on: June 13, 2001 at 09:58:04 PM PDT
This worm uses the MSN Messenger Service (MSNMS) program to replicate; it is the second worm that is known to do so. The worm itself does nothing more than replicate, and if it is executed on a computer that does not have MSNMS installed, it simply remains resident in memory without replicating.
Category: Worm
Infection Length: 40,960 bytes
Virus Definitions: June 6, 2001
Payload Trigger: None
Payload: None
Distribution:
Name of attachment: ShootPresidentBUSH.EXE
Size of attachment: 40,960 bytes
Target of infection: MSNMS users
Technical description:
This worm spreads itself as the file ShootPresidentBUSH.exe.
When executed, the worm does the following:
1. It becomes memory resident.
2. It creates the following files:
C:\Choke.exe (a copy of the worm).
C:\ShootPresidentBUSH.exe (a copy of the worm).
C:\About.txt (contains surrealistic expressions from the author).
C:\Dalist.txt (contains list of buddies that have already been given a copy of the worm).
3. It then displays the following messages:
[image - go to above link]
and
[image - go to above link]
4. After you click OK to these messages, you will not see any other output from this program. This could cause you to believe that the worm has terminated execution, when in fact it is still running on the system.
The worm hooks MSNMS in such away that when a buddy initiates a text conversation (for the first time) with an infected system, it sends the text message
President bush shooter is game that allows you to shoot Bush balzz hahaha
along with an invitation to download a file named ShootPresidentBUSH.exe. If the buddy declines, the worm will not take no for an answer, and tries repeatedly until the buddy accepts the invitation.
The worm remembers the names of the buddies who have already been sent a copy of it, and responds with a smiley face to every line typed by that person.
The worm may, under some conditions, create a value in the registry key
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
that references either of the executable files that it created on drive C.
This worm contains many bugs and may eventually cause the system to stop responding.
Removal instructions:
To remove this worm, end its task to stop it from running, delete any files detected as W32.Choke.Worm, and undo, if necessary, the change that it made to the registry.
To stop the worm from running:
1. Press Ctrl+Alt+Delete. The Close Program dialog box appears.
2. Select the program registered as Choke, and then click End task.
To delete the worm:
1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
3. Delete any files detected as W32.Choke.Worm
To edit the registry:
CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.
This document is available from the Symantec Fax-on-Demand system. In the U.S. and Canada, call (541) 984-2490, select option 2, and then request document 927002.
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
4. In the right pane, delete any values that point to either of the following:
C:\Choke.exe
C:\ShootPresidentBUSH.exe
5. Exit the Registry Editor.
--------------
I should add that if you do download Norton trial to get rid of this virus, you might want to uninstall, or at least close McAfee completely before installing and running Norton - just in case they don't play nice together.
McAfee has much less specific removal instructions http://vil.mcafee.com/dispVirus.asp?virus_k=99100&
Good luck
[This message has been edited by socalgal (edited 06-18-2001).]
Bob The Great
06-19-2001, 01:00 AM
Or you could burn your computer in a fire while chanting weird indian songs, and wearing a towel around your waist (or if your a girl a shirt, and a towel for your waist, we don't want to be inmodest do we?)
SysOpt.com
Copyright Internet.com Inc. All Rights Reserved.
Copyright Internet.com Inc. All Rights Reserved.