Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!

Shoerec

From Malware Wiki
Jump to: navigation, search
Shoerec
W32-shoerec.gif
TypeGame
CreatorBram & Amjads
Date1999
OriginTurkey
PlatformMicrosoft Windows
File Type.EXE
Alias(es)Win95.Shoerec.B(Ad-Aware)

Virus.Win9x.Shoerec.n!c(AegisLab)

Win95/Shoerec(AhnLab-V3)

Virus:Win95/Shoerec.6f838447(Alibaba)

Win32:Shoerec(Avast)

Win.Trojan.W-144(ClamAV)

Malicious.19f616(Cyberreason)

Virus.Win9x.Shoerec(Kaspersky)
Impact10,000 computers
Size10 MB
CRC32A9B5B69D
MD5f257a5f19f616f63785052cb3b316927
SHA-160a115acd7fa42b944b42d4df0a88b81892bead8
SHA-256a7fc7287efa7bfc2362399975c785f9e60f028e48a0f5bde316243da4eb6c797
SSDEEP3072:+rwugTGLbjXtDM56XoOBbZa+L3WqX9qxawBKzuwvW8z1e0ID5LMVzKzHIL1yxwc9:QbJ45uHa+LLqMIZPfxwW/NowLmtjSgKT
Authentihash68662df3180e0fe48f5cf26a481ef8399590e27695f69130751778c2397863e6
IMPhashe0f41be3cb937dabff34123390991845
This box: view  talk  edit
Not to be confused with Shoe, a DOS virus.

Virus.Win9x.Shoerec, Shoerec or ShoeRecord is a virus on Microsoft Windows with a payload similar to that of Magistr. Another part of its payload pays tribute to the Brain virus.

Payload

Shoerec's main visible feature is a small, infected boxing game that appears to have been made in the Shockwave Flash player. The supportive text, directions, and credits of the game are all in Turkish, and the opponent is a Turkish cartoon maker named Erdil Yaşaroğlu.

Shoerec is a very dangerous virus. It is an encrypted parasitic Windows 95 virus about 10Kb in length (due to its code of the infected files it will not work on Windows NT or Windows ME). It is a direct action virus; it scans current a drive directory three times, looks for PE EXE files there and infects them; but it does it in the background of a host process (in-process thread), and as a result, can stay in memory for a long time up to the moment the host process is terminated, or all files on a drive are scanned. Because of this, the virus can be classified as a per-process memory resident.

While infecting a file, the virus writes itself to the end of the file in the last file section, increases this section size and modifies necessary PE header fields.

To obtain addresses for file access and other functions, the virus uses an address that is valid for Windows 95/98 only. It causes a standard Windows "error in application" message when infected files are run under Windows NT or ME.

In about 4 months after infecting a file (and assuming the operating system still works), and being run on the same computer (the virus stores the current date and computer name while infecting), the virus runs its trigger routine. This routine gains access to the desktop and moves icons out of the mouse cursor when it is being moved to the icons. It appears as though the programs' icons run out away from the cursor, trying to escape, similar to one of Magistr's payload.

When the files are infected on the 1st, 2nd or 3rd of any month, the virus randomly infects them with its routine. When such files are run in about seven months after being infected, the trojan routine erases all files on the current drive, creates and randomly overwrites the WIN.COM file with garbage or the text, revealing the full name of the virus on the drive the OS was installed on:

 (c) 1999 Brain & Amjads (pvt) Ltd   

 VIRUS_SHOE  RECORD  v20.0

 Dedicated to the dynamic memories of millions of virus 

 who are no longer with us today - Thanks


Media

Also featured on the SomeOrdinaryGamers YT

Origin

Shoerec was originally posted to newsgroups as the files FUN.EXE, BOXING.EXE or NOSTRESS.EXE. Its icon made it look like a Shockwave file. When executed, it launches a Shockwave file of a boxer, from which the user can carry out a range of varying moves.

Translation

www.komikaze.net presents Revenge Time

It's time to take revenge of the bad jokes I make for years.
Don't pity... Hit... Relax...

The person who's getting beaten: Erdil Yaşaroğlu
Photos: Can İnan
The person who does everything else: Erdil Yaşaroğlu

After the virus is run, the quote from the cartoon maker translates to "What are you looking at, big head?"

Sources

Securelist (Kaspersky Labs), Virus.Win9x.Shoerec

Proland, Shoerec virus

it:Shoerec