CHESS@YKTVMV.BITNET (David M. Chess) (08/04/89)
Y. Radai: > I suggest we call it the Swap virus, since the words > SWAP VIRUS FAT12 appear in the modified boot sector. Although Yuval's sample disk does contain those words, I assumed that he must have put them there himself, as a way of labelling the diskette. When the virus spreads, it does not (as far as I've been able to tell from both testing and disassembly) put those words in the boot sector. All it does is change the initial JMP, and overlay 31 bytes of the original boot sector (in the message-text area in at least some versions of DOS) with its code to load and call the main virus from its "bad" sector. The words "SWAP VIRUS" don't occur anywhere on the freshly-infected diskette I just produced. Since the virus doesn't really "swap" anything, I'm not sure how good a name that is, although "Israeli boot" is poor for the reason you give. Naming is a pain, isn't it? We could call it the "Falling Letters Boot Virus" (tho' there'll probably be another one next month...). DC