|Place of Origin||Turkey|
Shoerec is a virus with a payload similar to that of Magistr. Another part of its payload pays tribute to the Brain virus. The video displayed by the virus when it is first executed strongly suggests it comes from Turkey, and it was first posted on an Internet newsgroup.
When executed, Shoerec generates a random letter andf searches for all files in the current directory with that name three times. It infects Portable executables, hiding as a process thread and then appending itself to the file.
Four months after the initial infection, the virus activates a payload similar to that of Magistr. It causes icons to move away from the cursor as if trying to run away from it.
There is another payload that activates on the 1st, 2nd or 3rd of any month. It infects files on these days with a trojan routine. Seven months after infecting the files, the routine will erase all files on the current drive. It also createsd and overwrites the WIN.COM with either random junk or the following text (paying homage to Brain):
(c) 1999 Brain & Amjads (pvt) Ltd VIRUS_SHOE RECORD v20.0 Dedicated to the dynamic memories of millions of virus who are no longer with us today - Thanks
|The Shoerec virus in action|
Shoerec was originally posted to newsgroups as the files FUN.EXE, BOXING.EXE or NOSTRESS.EXE. Its icon made it look like a Shockwave file. When executed, it showed an image of a boxer. The text displayed during the virus's execution is in Turkish, which provides clues as to its origin.
Kaspersky Lab. SecureList, Virus.Win9x.Shoerec. 2001.01.14
Proland, Shoerec virus