| Description:
|
Details
Win95.Shoerec
This is a very dangerous encrypted parasitic Win95 virus about 10Kb in length. It is a direct action virus - it scans current a drive directory three times, looks for PE EXE files there and infects them; but it does it in the background of a host process (in process thread), and as a result, can stay in memory for a long time up to the moment the host process is terminated, or all files on a drive are scanned. Because of this, the virus can be classified as per-process memory resident.
While infecting a file, the virus writes itself to the end of the file in the last file section, increases this section size and modifies necessary PE header fields.
To obtain addresses for file access and other functions, the virus uses an address that is valid for Win95/98 only, and as a result, causes standard a Windows "error in application" message when infected files are run under other Windows versions.
In about 4 month after infecting a file, and being run on the same computer (the virus stores the current date and computer name while infecting), the virus runs its trigger routine. This routine gains access to a Windows desktop, and moves icons out of the mouse cursor when the mouse cursor is being moved to the icons. It appears as though the programs' icons run out away from the cursor, trying to escape.
When the files are infected on the 1st, 2nd or 3rd of any month, the virus randomly infects them with its Trojan routine. When such Trojanized files are run in about 7 months after being infected, the Trojan routine erases all files on the current drive, creates and randomly overwrites the WIN.COM file with garbage or the text:
(c) 1999 Brain & Amjads (pvt) Ltd
VIRUS_SHOE RECORD v20.0
Dedicated to the dynamic memories of millions of virus
who are no longer with us today - Thanks |
