Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!unmvax!ncar!tank!eecae!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: NYYUVAL@WEIZMANN.BITNET (Yuval Tal (972)-8-474592) Newsgroups: comp.virus Subject: Swapping Virus (PC) Message-ID: <0001.8908161554.AA18203@ge.sei.cmu.edu> Date: 15 Aug 89 17:36:50 GMT Sender: Virus Discussion List Lines: 74 Approved: krvw@sei.cmu.edu +------------------------------------------------------+ | The "Swapping" virus | +------------------------------------------------------+ | | | Disassembled on: August, 1989 | | | | Disassembled by: Yuval Tal | | | | Disassembled using: ASMGEN and DEBUG | | | +------------------------------------------------------+ Important note: If you find *ANYTHING* that you think I wrote incorrectly or is-understood something, please let me know ASAP. You can reach me: Bitnet: NYYUVAL@WEIZMANN InterNet: NYYUVAL%WEIZMANN.BITNET@CUNYVM.CUNY.EDU This text is divided into theree parts: 1) A report about the Swap Virus. 2) A disassembly of the Swap Virus. 3) How to install this virus? - ------------------------------------------------------------------------------ - R E P O R T - ------------------------------------------------------------------------------ - Virus Name..............: The Swap Virus Attacks.................: Floppy-disks only Virus Detection when....: June, 1989 at......: Israel Length of virus.........: 1. The virus itself is 740 bytes. 2. 2048 bytes in RAM. Operating system(s).....: PC/MS DOS version 2.0 or later Identifications.........: A) Boot-sector: 1) Bytes from $16A in the boot sector are: 31 C0 CD 13 B8 02 02 B9 06 27 BA 00 01 CD 13 9A 00 01 00 20 E9 XX XX 2) The first three bytes in the boot sector are: JMP 0196 (This is, if the boot sector was loaded to CS:0). B) FAT: Track 39 sectors 6-7 are marked as bad. C) The message: "The Swapping-Virus. (C) June, by the CIA" is located in bytes 02B5-02E4 on track 39, sector 7. Type of infection.......: Stays in RAM, hooks int $8 and int $13. A diskette is infected when it is inserted into the drive and ANY command that reads or writes from/to the diskette is executed. Hard disks are NOT infected ! Infection trigger.......: The virus starts to work after 10 minutes. Interrupt hooked........: $8 (Timer-Tick - Responsible for the letter dropping) $13 (Disk Drive - Infects!) Damage..................: Track 39 sectors 6-7 will be marked as bad in the FAT. Damage trigger..........: The damage is done whenever a diskette is infected. Particularities.........: A diskette will be infected only if track 39 sectors 6-7 are empty. +-----------------------------------------------------------------------+ | BitNet: NYYUVL@WEIZMANN CSNet: NYYUVAL@WEIZMANN.BITNET | | InterNet: NYYUVAL%WEIZMANN.BITNET@CUNYVM.CUNY.EDU | | | | Yuval Tal | | The Weizmann Institute Of Science "To be of not to be" -- Hamlet | | Rehovot, Israel "Oo-bee-oo-bee-oo" -- Sinatra | +-----------------------------------------------------------------------+