WordSwap Virus
Virus Name: WordSwap
Aliases: WordSwap-1069, WordSwap-1085, WordSwap-1387, WordSwap-1503
V Status: Rare
Discovered: September, 1991
Symptoms: .COM & .EXE growth; TSR; file date/time changes;
file corruption on disk; system hangs
Origin: USSR
Eff Length: 1,069, 1,085, 1,387, or 1,503 Bytes (depends on variant)
Type Code: PRsAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, Sweep, AVTK, F-Prot, PCScan, ChAV,
NAV, IBMAV, NAVDX, VAlert,
NShld, Sweep/N, LProt, Innoc, NProt, IBMAV/N,
AVTK/N, NAV/N
Removal Instructions: Delete infected files
General Comments:
The WordSwap viruses were received from the USSR in September,
1991. WordSwap is actually a family of initially four viruses
which share many similar characteristics. All of these viruses
are memory resident infectors of .COM and .EXE files, and will
damage files, including data files, when they are written to disk.
The first time a program infected with a WordSwap virus is
executed, WordSwap will install itself memory resident as a low
system memory TSR. The size of the TSR will vary, depending on
which variant of the virus is present, and is documented below.
In all cases, interrupt 21 will be hooked by the WordSwap virus
in memory.
After WordSwap is memory resident, it will infect .COM and .EXE
programs, including COMMAND.COM, when they are executed. System
hangs may also occur when programs are being infected. Infected
programs will have file size increases of 1,069, 1,085, 1,387 or
1,503 bytes, depending on the variant. The virus will be
located at the end of infected files in all cases.
WordSwap viruses are very destructive. When files are written to
disk, the viruses will randomly swap words within the file,
corrupting the data. In one case, the virus will also overwrite
a portion of the file with data from memory.
Known variant(s) of WordSwap are:
WordSwap-1069: WordSwap-1069 is a 1,069 byte member of the
WordSwap family. It adds 1,069 bytes to infected
files. Infected programs will have had their file
date and time in the DOS disk directory updated to
the current system date and time when infection
occurred. This virus' TSR is 1,072 bytes. System
hangs do not occur with this virus. WordSwap-1069
will occassionally swap words in files written to
disk, corrupting the file. WordSwap-1069 appears
to be a bug-fixed version of WordSwap-1085.
WordSwap-1085: WordSwap-1085 is a 1,085 byte member of the
WordSwap family of viruses. It adds 1,085 bytes to
infected files, and no file date time change will
occur in the DOS disk directory. WordSwap-1085's
memory resident TSR is 1,072 bytes in length.
Unlike WordSwap-1069, this virus will hang the system
when the next program is executed after it becomes
memory resident. The program the user was attempting
to execute will have been infected by WordSwap-1085.
Damage to files written to disk is the same as with
the WordSwap-1069 virus, words will occassionaly be
swapped, resulting in file corruption.
WordSwap-1387: WordSwap-1387 is a 1,387 byte member of the
WordSwap family of viruses. It adds 1,387 bytes to
infected files, and unlike the other members of this
family will reinfect files. There will be no file
date/time change on infected files. Its TSR is 2,784
bytes in length. This variant also differs in the
type of damage it does to files written to disk.
Besides occassionally swapping words, it will also
occassionally shift the data 18 bytes to the left so
that the first 18 bytes of data records are missing.
WordSwap-1503: WordSwap-1503 is a 1,503 byte member of the
WordSwap family of viruses. It adds 1,503 bytes to
infected files. There will be no file date/time
change in the DOS disk directory. It does not
reinfect previously infected files. The file
corruption which occurs on disk writes will now
result in files occassionally being partially
written with data from system memory, in addition
to the swapping of words. The swapping of words
only occurs with this variant if the file isn't
overwritten. WordSwap-1503's TSR is 3,008 bytes
in length.