W32/Choke.A
Analysis
- Virus is 32bit, with a size of 40,960 bytes and
was coded in Visual Basic 6, requiring MSVBVM60.DLL
on the host system in order to execute
- When run on a host system, virus writes itself
to the root of drive C: as several files
C:\ABOUT.TXT
C:\CHOKE.EXE
C:\Hotmail.EXE
C:\[MSN User name].EXE
C:\ShootPresidentBUSH.EXE -
Virus monitors MSN Messenger for contacts and if one sends a note to the infected host, the virus responds persistently with a note with this text -
"President bush shooter is game that allows you to shoot Bush balzz hahaha"
and an attachment named "ShootPresidentBUSH.exe"
-
Virus attempts to send information back to the author of the virus via an ICQ page message with this detail -
"I got # son of a bitches"
Where # is the number of MSN contacts which were sent the virus
-
Virus modifies the registry to load at Windows startup -
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\
Choke=C:\choke.exe -blahhh -
Virus contains these comment lines in the virus code -
Go talk swearwords about God
You all will die, stupid humans N
You fools didn't see what you have done
Bye slut, go talk shit about meCall me a 'psychophatt', but I respect the Creator of life)' Consider your earth '
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |