ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ VIRUS REPORT ³ ³ Swap ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Synonyms: Israeli Boot, Falling Letters Boot, Fat 12 Date of Origin: August, 1989. Place of Origin: Israel. Host Machine: PC compatibles. Host Files: Remains resident. Infects floppy disk boot sector. OnScreen Symptoms: Cascading letters on screen 10 minutes after activation. Increase in Size of Infected Files: n/a. The virus code is 740 bytes. It uses 2K of memory, once resident. Nature of Damage: Corrupts or overwrites boot sector. Detected by: Scanv56+, F-Prot, IBM Scan. Removed by: MDisk, CleanUp, F-Prot, or the DOS SYS command. First studied by Yuval Tal of Israel, and called "the swap virus" because the message "The Swapping-Virus..." sometimes appears in it and the words "SWAP VIRUS FAT12" appeared in a modified boot sector on his disk. Other virus researchers cannot see how the virus would produce this code, and have suggested that Mr. Tal placed the words there himself, to help him identify the virus. Since the other researchers haven't found the word "SWAP" anywhere, they have argued against the name "Swap", but no one has come up with a better one. "Israeli boot virus" will suffice only until there is a second virus from Israel that infects the boot sector (3-4 minutes from now, at the rate we're going!). At any rate, this virus may write the following string into bytes B7-E4 of track 39, sector 7 (if sectors 6 and 7 are empty): The Swapping-Virus. (C) June, 1989 by the CIA When this virus replicates, however, the message transfers as binary zeros. Someone may have placed the text message into the virus thinking that it would replicate along with the virus. The Swap virus is somewhat different from other PC boot sector viruses. Normally a BSV replaces the boot sector with virus code, and stores the original boot sector somewhere. In some cases (Ping-Pong, Typo, Brain) the boot sector is stored in unused space, which is then marked as bad in the FAT. In other cases (Yale, Den Zuk, StonedDen Zuk virus), the virus stores the boot sector in a sector that is not likely to be used. One virus (Pentagon) even stores the boot sector in a hidden file. When the computer is booted from a disk infected with the a normal boot sector infecting virus, the code on the boot sector will read the rest of the virus into memory. The virus will then install itself, read the original boot sector and transfer control to it. Swap is different. It does not store the original boot sector at all. Instead it assumes that bytes 196-1B4 (hex) on the boot sector contain error messages that can be safely overwritten. This is true for most (but not all) boot sectors. It also assumes that the boot sector starts with a JMP instruction. Swap then replaces these bytes with code to read the rest of the virus (which is stored at track 39, sectors 6 and 7) into memory. The virus will then execute the original boot code. The fact that this virus does not store the original boot sector makes it hard (and in some cases impossible) to repair an infected diskette. The Swap virus activates after being memory resident for 10 minutes. A cascading effect of letters and characters on the system monitor is then seen, similar to the cascading effect of the Cascade and Traceback viruses. ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º This document was adapted from the book "Computer Viruses", º º which is copyright and distributed by the National Computer º º Security Association. It contains information compiled from º º many sources. To the best of our knowledge, all information º º presented here is accurate. º º º º Please send any updates or corrections to the NCSA, Suite 309, º º 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS º º and upload the information: (202) 364-1304. Or call us voice at º º (202) 364-8252. This version was produced May 22, 1990. º º º º The NCSA is a non-profit organization dedicated to improving º º computer security. Membership in the association is just $45 per º º year. Copies of the book "Computer Viruses", which provides º º detailed information on over 145 viruses, can be obtained from º º the NCSA. Member price: $44; non-member price: $55. º º º º The document is copyright (c) 1990 NCSA. º º º º This document may be distributed in any format, providing º º this message is not removed or altered. º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ  Downloaded From P-80 International Information Systems 304-744-2253