Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!


From Malware Wiki
Jump to: navigation, search
CreatorBram & Amjads
PlatformMicrosoft Windows
File Type.EXE







Impact10,000 computers
Size10 MB
This box: view  talk  edit
Not to be confused with Shoe, a DOS virus.

Virus.Win9x.Shoerec, Shoerec or ShoeRecord is a virus on Microsoft Windows with a payload similar to that of Magistr. Another part of its payload pays tribute to the Brain virus.


Shoerec's main visible feature is a small, infected boxing game that appears to have been made in the Shockwave Flash player. The supportive text, directions, and credits of the game are all in Turkish, and the opponent is a Turkish cartoon maker named Erdil Yaşaroğlu.

Shoerec is a very dangerous virus. It is an encrypted parasitic Windows 95 virus about 10Kb in length (due to its code of the infected files it will not work on Windows NT or Windows ME). It is a direct action virus; it scans current a drive directory three times, looks for PE EXE files there and infects them; but it does it in the background of a host process (in-process thread), and as a result, can stay in memory for a long time up to the moment the host process is terminated, or all files on a drive are scanned. Because of this, the virus can be classified as a per-process memory resident.

While infecting a file, the virus writes itself to the end of the file in the last file section, increases this section size and modifies necessary PE header fields.

To obtain addresses for file access and other functions, the virus uses an address that is valid for Windows 95/98 only. It causes a standard Windows "error in application" message when infected files are run under Windows NT or ME.

In about 4 months after infecting a file (and assuming the operating system still works), and being run on the same computer (the virus stores the current date and computer name while infecting), the virus runs its trigger routine. This routine gains access to the desktop and moves icons out of the mouse cursor when it is being moved to the icons. It appears as though the programs' icons run out away from the cursor, trying to escape, similar to one of Magistr's payload.

When the files are infected on the 1st, 2nd or 3rd of any month, the virus randomly infects them with its routine. When such files are run in about seven months after being infected, the trojan routine erases all files on the current drive, creates and randomly overwrites the WIN.COM file with garbage or the text, revealing the full name of the virus on the drive the OS was installed on:

 (c) 1999 Brain & Amjads (pvt) Ltd   


 Dedicated to the dynamic memories of millions of virus 

 who are no longer with us today - Thanks


Also featured on the SomeOrdinaryGamers YT


Shoerec was originally posted to newsgroups as the files FUN.EXE, BOXING.EXE or NOSTRESS.EXE. Its icon made it look like a Shockwave file. When executed, it launches a Shockwave file of a boxer, from which the user can carry out a range of varying moves.


www.komikaze.net presents Revenge Time

It's time to take revenge of the bad jokes I make for years.
Don't pity... Hit... Relax...

The person who's getting beaten: Erdil Yaşaroğlu
Photos: Can İnan
The person who does everything else: Erdil Yaşaroğlu

After the virus is run, the quote from the cartoon maker translates to "What are you looking at, big head?"


Securelist (Kaspersky Labs), Virus.Win9x.Shoerec

Proland, Shoerec virus