Shoerec
Shoerec
Type File virus
Creator
Date Discovered 2000.03.21
Place of Origin Turkey
Source Language
Platform MS Windows
File Type(s) .exe
Infection Length
Reported Costs

Shoerec is a virus with a payload similar to that of Magistr. Another part of its payload pays tribute to the Brain virus. The video displayed by the virus when it is first executed strongly suggests it comes from Turkey, and it was first posted on an Internet newsgroup.

Table of Contents

Behavior

When executed, Shoerec generates a random letter and searches for all files in the current directory with that name three times. It infects Portable executables, hiding as a process thread and then appending itself to the file.

Four months after the initial infection, the virus activates a payload similar to that of Magistr. It causes icons to move away from the cursor as if trying to run away from it.

There is another payload that activates on the 1st, 2nd or 3rd of any month. It infects files on these days with a trojan routine. Seven months after infecting the files, the routine will erase all files on the current drive. It also creates and overwrites the WIN.COM with either random junk or the following text (paying homage to Brain):

  (c) 1999 Brain & Amjads (pvt) Ltd   
  VIRUS_SHOE  RECORD  v20.0
  Dedicated to the dynamic memories of millions of virus 
  who are no longer with us today - Thanks
 The Shoerec virus in action

Origin

Shoerec was originally posted to newsgroups as the files FUN.EXE, BOXING.EXE or NOSTRESS.EXE. Its icon made it look like a Shockwave file. When executed, it showed an image of a boxer. The text displayed during the virus's execution is in Turkish, which provides clues as to its origin.

Sources

Kaspersky Lab. SecureList, Virus.Win9x.Shoerec. 2001.01.14

Proland, Shoerec virus

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License