Swap enters a system when a disk infected with the virus is booted. The virus becomes memory resident and will wait for 10 minutes before infecting a disk. It infects any diskette that is inserted into the system or when any command reads or writes to the disk. If track 39, sectors 6 and 7 contain data, the virus will not infect the disk.
The virus is 740 bytes on the disk and 2,048 bytes long in ram. 740 bytes is too large for a boot sector, which is only 512 bytes long. This is why Swap places some of its code on the boot sector and the rest of it on a separate sector.
The virus marks track 39, sectors 6 and 7 as bad and inserts the rest of its code, including the following text into these sectors: "The Swapping-Virus. (C) June, 1989 by the CIA". It does not move the original boot sector to another location on the disk, but simply overwrites it. The virus has a payload similar to the Cascade virus, as it causes letters in DOS to fall to the bottom of the screen.
Swap is named for the text that it places on track 39, sector 7. The name is misleading, as the virus does not "swap" anything. It is sometimes also called "Falling letters", but this might confuse it with Cascade.
Yuval Tal, Weizmann Institute. Reports collected and collated by PC-Virus Index, Computer Virus Catalog 1.2: "Swap" Virus. 1989.08
F-Secure Antivirus, F-Secure Virus Descriptions : Falling Letters.