Shoerec | |
---|---|
Type | File virus |
Creator | |
Date Discovered | 2000.03.21 |
Place of Origin | Turkey |
Source Language | |
Platform | MS Windows |
File Type(s) | .exe |
Infection Length | |
Reported Costs |
Shoerec is a virus with a payload similar to that of Magistr. Another part of its payload pays tribute to the Brain virus. The video displayed by the virus when it is first executed strongly suggests it comes from Turkey, and it was first posted on an Internet newsgroup.
Behavior
When executed, Shoerec generates a random letter and searches for all files in the current directory with that name three times. It infects Portable executables, hiding as a process thread and then appending itself to the file.
Four months after the initial infection, the virus activates a payload similar to that of Magistr. It causes icons to move away from the cursor as if trying to run away from it.
There is another payload that activates on the 1st, 2nd or 3rd of any month. It infects files on these days with a trojan routine. Seven months after infecting the files, the routine will erase all files on the current drive. It also creates and overwrites the WIN.COM with either random junk or the following text (paying homage to Brain):
(c) 1999 Brain & Amjads (pvt) Ltd
VIRUS_SHOE RECORD v20.0
Dedicated to the dynamic memories of millions of virus
who are no longer with us today - Thanks
The Shoerec virus in action |
---|
Origin
Shoerec was originally posted to newsgroups as the files FUN.EXE, BOXING.EXE or NOSTRESS.EXE. Its icon made it look like a Shockwave file. When executed, it showed an image of a boxer. The text displayed during the virus's execution is in Turkish, which provides clues as to its origin.
Sources
Kaspersky Lab. SecureList, Virus.Win9x.Shoerec. 2001.01.14
Proland, Shoerec virus