
             *********************************************
             ***   Reports collected and collated by   ***
             ***            PC-Virus Index             ***
             ***      with full acknowledgements       ***
             ***            to the authors             ***
             *********************************************


====== Computer Virus Catalog 1.2: "Swap" Virus (15-Feb-1990) ========

Entry...............: Swap Virus
Alias(es)...........: = Israeli Boot Virus
Virus Strain........: ---
Virus detected when.: June, 1989
              where.: Israel
Classification......: Boot Sector infection, resident in RAM
Length of Virus.....: 1.   740 Byte on storage medium
                      2. 2.048 Byte in RAM

-------------------- Preconditions -----------------------------------
Operating System(s).: MS-DOS
Version/Release.....: versions 2.0 or later
Computer model(s)...: ---

-------------------- Attributes -------------------------------------

Easy Identification.: A) Boot sector:
                         A1) Bytes from $16A in boot sector are:
                             31 C0 CD 13 B8 02 02 B9 06 27 BA 00
                             01 CD 13 9A 00 01 00 20 E9 XX XX
                         A2) First 3 bytes in boot sector are:
                             JMP 0196 (this is, the boot sector was
                                       loaded to CS:0)
                      B) FAT: track 39 sector 6-7 are marked as bad.
                      C) The message:
                           "The Swapping-Virus. (C) June, by the CIA"
                         located in bytes 02B5-02E4 on track 39,sector
                         7.

Type of infection...: Resident in RAM. A diskette is infected when it
                          is inserted into the drive and ANY command
                          that reads from or writes to the diskette is
                          executed.

Infection Trigger...: Virus starts to work after 10 minutes.

Storage media affected: Infects diskettes; hard disks are NOT
                           infected.

Interrupts hooked...: Int $8 Timer-Tick: responsible for
                           letter-dropping

                      Int $13 Disk Drive: Infects!

Damage..............: Permanent Damage: track 39 sector 6-7 will be
                      marked as bad.

Damage Trigger......: Whenever a diskette is infected.

Particularities.....: A diskette will be infected only if track 39
                      sectors 6-7 are empty.

Similarities........: ---

-------------------- Agents ------------------------------------------

Countermeasures.....: Category 1: .1 Monitoring Files:          ---
                                  .2 Monitoring System Vectors: ---
                                  .3 Monitoring System Areas:   ---
                      Category 2: Alteration Detection:         ---
                      Category 3: Eradication:                  ---
                      Category 4: Vaccine:                      ---
                      Category 5: Hardware Methods:             ---
                      Category 6: Cryptographic Methods:        ---

Countermeasures successful: ---

Standard means......: ---

------------------- Acknowledgement ---------------------------------

Location............: Weizmann Institute, Rehovot
Classification by...: Yuval Tal
Documentation by....: Yuval Tal
Date................: August 1989
Information Source..:


=================== End of "Swap"-Virus =============================


  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++
  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
