|Place of Origin|
When executed, Shoerec generates a random letter and searches for all files in the current directory with that name three times. It infects Portable executables, hiding as a process thread and then appending itself to the file.
Four months after the initial infection, the virus activates a payload similar to that of Magistr. It causes icons to move away from the cursor as if trying to run away from it.
There is another payload that activates on the 1st, 2nd or 3rd of any month. It infects files on these days with a trojan routine. Seven months after infecting the files, the routine will erase all files on the current drive. It also creates and overwrites the WIN.COM with either random junk or the following text (paying homage to Brain):
(c) 1999 Brain & Amjads (pvt) Ltd VIRUS_SHOE RECORD v20.0 Dedicated to the dynamic memories of millions of virus who are no longer with us today - Thanks
Shoerec was originally posted to newsgroups as the files FUN.EXE, BOXING.EXE or NOSTRESS.EXE. Its icon made it look like a Shockwave file. When executed, it would execute a shockwave flash game the user could carry out certain boxing moves on a boxer.
Kaspersky Lab. SecureList, Virus.Win9x.Shoerec. 2001.01.14
Proland, Shoerec virus