Swap | |
---|---|
Type | Boot sector virus |
Creator | |
Date Discovered | 1989.06 |
Place of Origin | Israel |
Source Language | |
Platform | DOS |
Infection Length | 740 bytes* |
Reported Costs |
Swap is a boot sector virus from Israel. In a similar manner to a previous virus, the file virus Cascade, it will cause letters in DOS to fall in a heap to the bottom of the screen. It contains some text claiming it is from the CIA, however it is not very likely that it has any relation to that agency.
Behavior
Swap enters a system when a disk infected with the virus is booted. The virus becomes memory resident and will wait for 10 minutes before infecting a disk. It infects any diskette that is inserted into the system or when any command reads or writes to the disk. If track 39, sectors 6 and 7 contain data, the virus will not infect the disk.
The virus is 740 bytes on the disk and 2,048 bytes long in ram. 740 bytes is too large for a boot sector, which is only 512 bytes long. This is why Swap places some of its code on the boot sector and the rest of it on a separate sector.
The virus marks track 39, sectors 6 and 7 as bad and inserts the rest of its code, including the following text into these sectors: "The Swapping-Virus. (C) June, 1989 by the CIA". It does not move the original boot sector to another location on the disk, but simply overwrites it. The virus has a payload similar to the Cascade virus, as it causes letters in DOS to fall to the bottom of the screen.
Name
Swap is named for the text that it places on track 39, sector 7. The name is misleading, as the virus does not "swap" anything. It is sometimes also called "Falling letters", but this might confuse it with Cascade.
Other Facts
In light of the recent Stuxnet worm, the text that Swap places in certain sectors claiming to be from the CIA is particularly eye-catching. It is however very unlikely that this virus has any relation to the CIA or the Stuxnet worm. It is also unrelated to Trackswap, a virus from Bulgaria.
Sources
Yuval Tal, Weizmann Institute. Reports collected and collated by PC-Virus Index, Computer Virus Catalog 1.2: "Swap" Virus. 1989.08
F-Secure Antivirus, F-Secure Virus Descriptions : Falling Letters.