Swap
Swap
Type Boot sector virus
Creator
Date Discovered 1989.06
Place of Origin Israel
Source Language
Platform DOS
Infection Length 740 bytes*
Reported Costs

Swap is a boot sector virus from Israel. In a similar manner to a previous virus, the file virus Cascade, it will cause letters in DOS to fall in a heap to the bottom of the screen. It contains some text claiming it is from the CIA, however it is not very likely that it has any relation to that agency.

Behavior

Swap enters a system when a disk infected with the virus is booted. The virus becomes memory resident and will wait for 10 minutes before infecting a disk. It infects any diskette that is inserted into the system or when any command reads or writes to the disk. If track 39, sectors 6 and 7 contain data, the virus will not infect the disk.

The virus is 740 bytes on the disk and 2,048 bytes long in ram. 740 bytes is too large for a boot sector, which is only 512 bytes long. This is why Swap places some of its code on the boot sector and the rest of it on a separate sector.

The virus marks track 39, sectors 6 and 7 as bad and inserts the rest of its code, including the following text into these sectors: "The Swapping-Virus. (C) June, 1989 by the CIA". It does not move the original boot sector to another location on the disk, but simply overwrites it. The virus has a payload similar to the Cascade virus, as it causes letters in DOS to fall to the bottom of the screen.

Name

Swap is named for the text that it places on track 39, sector 7. The name is misleading, as the virus does not "swap" anything. It is sometimes also called "Falling letters", but this might confuse it with Cascade.

Other Facts

In light of the recent Stuxnet worm, the text that Swap places in certain sectors claiming to be from the CIA is particularly eye-catching. It is however very unlikely that this virus has any relation to the CIA or the Stuxnet worm. It is also unrelated to Trackswap, a virus from Bulgaria.

Sources

Yuval Tal, Weizmann Institute. Reports collected and collated by PC-Virus Index, Computer Virus Catalog 1.2: "Swap" Virus. 1989.08

F-Secure Antivirus, F-Secure Virus Descriptions : Falling Letters.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License