Virus Database

Win95.Shoerec

Description Win95.Shoerec

This is a very dangerous encrypted parasitic Win95 virus about 10Kb in length. It is a direct action virus - it scans current a drive directory three times, looks for PE EXE files there and infects them; but it does it in the background of a host process (in process thread), and as a result, can stay in memory for a long time up to the moment the host process is terminated, or all files on a drive are scanned. Because of this, the virus can be classified as per-process memory resident.
While infecting a file, the virus writes itself to the end of the file in the last file section, increases this section size and modifies necessary PE header fields.
To obtain addresses for file access and other functions, the virus uses an address that is valid for Win95/98 only, and as a result, causes standard a Windows "error in application" message when infected files are run under other Windows versions.
In about 4 month after infecting a file, and being run on the same computer (the virus stores the current date and computer name while infecting), the virus runs its trigger routine. This routine gains access to a Windows desktop, and moves icons out of the mouse cursor when the mouse cursor is being moved to the icons. It appears as though the programs' icons run out away from the cursor, trying to escape.
When the files are infected on the 1st, 2nd or 3rd of any month, the virus randomly infects them with its Trojan routine. When such Trojanized files are run in about 7 months after being infected, the Trojan routine erases all files on the current drive, creates and randomly overwrites the WIN.COM file with garbage or the text:
(c) 1999 Brain & Amjads (pvt) Ltd
VIRUS_SHOE RECORD v20.0
Dedicated to the dynamic memories of millions of virus
who are no longer with us today - Thanks

Check other viruses! Be aware! Use Antiviral Software

GoldBug

Description GoldBug

GoldBug is a not dangerous memory resident multipartite stealth virus. This virus will only replicate on '286 computers and higher running DOS 5.0 or higher, and only if the user stashes the operating system in UMB (Upper Memory Blocks).
The virus copies itself in High Memory Area, hooks INT 13h, 21h and infects MBR of hard drive, boot sectors of 1.2M floppies and EXE-files are accessed. On infection of the files this virus uses companion and polymorphic technology.
This virus contains the internal text strings:
CHKLIST????
1O7=0SLMTA

The virus outputs the last string (backward) to the modem port: "ATMLS0=7O1".

Gollum.664

Description Gollum.664

It's a not dangerous not memory resident parasitic virus. It searches for COM-files (except COMMAND.COM) and writes itself to their ends. Depending on the system timer it decrypts and displays the message:
Nasssty little Hobbitssses!
We hatesss them!
We hatesss them all!

It contains the internal text strings also:
Gollum v1.00, by Thanatos
COMMAND.COM

Home