Malware Wiki
Advertisement

Shoerec (named for a line written in an invalid copy of WIN.COM that it drops in the C: directory) is a virus for Win9x systems that comes packaged within a Macromedia (as Adobe didn't own it at the time) Shockwave Flash boxing game. When the infected game is loaded, Shoerec runs in the background for a short period infecting a number of files within the Windows folder and System directories. This operation can be noticed within the game initially by the sound stuttering (if the system is fast it may not be as noticeable). Shoerec will stay in the background and as infected files are run it will search out and infect other executables. As more files become infected (and depending on the date threshold for its payloads) the system can experience a noticeable slowdown.

The payloads: The first and most common payload occurs a few months after the initial infection. When an infected program is run it will auto-arrange the icons on the desktop and will actively make them "run away" from the mouse cursor.

The second less common payload is more destructive. If the initial infection occurred on the 1st, 2nd or 3rd of the month Shoerec will also drop a file-deleting trojan into some infected files. If the infection is still present after several months and one of these trojan infected programs is executed, it will delete the majority of files from the C: drive. It will not delete files from any other drives/partitions or any network shares. It will also drop the dummy WIN.COM file in the root of drive C: that as stated above contains the text string that gave the virus its name: VIRUS_SHOE_RECORD

Viral_Rewind-_Virus.Win9x.Shoerec

Viral Rewind- Virus.Win9x.Shoerec

Video of Shoerec in action


Advertisement