|
NCSA Virus Report #118
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
???????????????????????????????
? VIRUS REPORT ?
? Swap ?
???????????????????????????????
Synonyms: Israeli Boot, Falling Letters Boot, Fat 12
Date of Origin: August, 1989.
Place of Origin: Israel.
Host Machine: PC compatibles.
Host Files: Remains resident. Infects floppy disk boot sector.
OnScreen Symptoms: Cascading letters on screen 10 minutes after
activation.
Increase in Size of Infected Files: n/a. The virus code is 740 bytes. It
uses 2K of memory, once resident.
Nature of Damage: Corrupts or overwrites boot sector.
Detected by: Scanv56+, F-Prot, IBM Scan.
Removed by: MDisk, CleanUp, F-Prot, or the DOS SYS command.
First studied by Yuval Tal of Israel, and called "the swap virus"
because the message "The Swapping-Virus..." sometimes appears in it and
the words "SWAP VIRUS FAT12" appeared in a modified boot sector on his
disk. Other virus researchers cannot see how the virus would produce
this code, and have suggested that Mr. Tal placed the words there
himself, to help him identify the virus. Since the other researchers
haven't found the word "SWAP" anywhere, they have argued against the
name "Swap", but no one has come up with a better one. "Israeli boot
virus" will suffice only until there is a second virus from Israel that
infects the boot sector (3-4 minutes from now, at the rate we're going!).
At any rate, this virus may write the following string into bytes
B7-E4 of track 39, sector 7 (if sectors 6 and 7 are empty):
The Swapping-Virus. (C) June, 1989 by the CIA
When this virus replicates, however, the message transfers as binary
zeros. Someone may have placed the text message into the virus thinking
that it would replicate along with the virus.
The Swap virus is somewhat different from other PC boot sector
viruses. Normally a BSV replaces the boot sector with virus code, and
stores the original boot sector somewhere. In some cases (Ping-Pong,
Typo, Brain) the boot sector is stored in unused space, which is then
marked as bad in the FAT. In other cases (Yale, Den Zuk, StonedDen Zuk
virus), the virus stores the boot sector in a sector that is not likely
to be used. One virus (Pentagon) even stores the boot sector in a hidden
file.
When the computer is booted from a disk infected with the a normal
boot sector infecting virus, the code on the boot sector will read the
rest of the virus into memory. The virus will then install itself, read
the original boot sector and transfer control to it.
Swap is different. It does not store the original boot sector at
all. Instead it assumes that bytes 196-1B4 (hex) on the boot sector
contain error messages that can be safely overwritten. This is true for
most (but not all) boot sectors. It also assumes that the boot sector
starts with a JMP instruction. Swap then replaces these bytes with code
to read the rest of the virus (which is stored at track 39, sectors 6 and
7) into memory. The virus will then execute the original boot code. The
fact that this virus does not store the original boot sector makes it
hard (and in some cases impossible) to repair an infected
diskette.<Note: Some of this information was provided by Fridrik
Skulason of the University of Iceland.>
The Swap virus activates after being memory resident for 10 minutes.
A cascading effect of letters and characters on the system monitor is
then seen, similar to the cascading effect of the Cascade and Traceback
viruses.
??????????????????????????????????????????????????????????????????????
? This document was adapted from the book "Computer Viruses", ?
? which is copyright and distributed by the National Computer ?
? Security Association. It contains information compiled from ?
? many sources. To the best of our knowledge, all information ?
? presented here is accurate. ?
? ?
? Please send any updates or corrections to the NCSA, Suite 309, ?
? 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS ?
? and upload the information: (202) 364-1304. Or call us voice at ?
? (202) 364-8252. This version was produced May 22, 1990. ?
? ?
? The NCSA is a non-profit organization dedicated to improving ?
? computer security. Membership in the association is just $45 per ?
? year. Copies of the book "Computer Viruses", which provides ?
? detailed information on over 145 viruses, can be obtained from ?
? the NCSA. Member price: $44; non-member price: $55. ?
? ?
? The document is copyright © 1990 NCSA. ?
? ?
? This document may be distributed in any format, providing ?
? this message is not removed or altered. ?
??????????????????????????????????????????????????????????????????????
|
|
