14 What is a stealth virus? (Computer virus)
Description
This article is from the Computer Viruses FAQ, by Nick FitzGerald n.fitzgerald@csc.canterbury.ac.nz with numerous contributions by others.
14 What is a stealth virus? (Computer virus)
A STEALTH virus is one that, while "active", hides the modifications it
has made to files or boot records. This is usually achieved by
monitoring the system functions used to read files or sectors from
storage media and forging the results of calls to such functions. This
means programs that try to read infected files or sectors see the
original, uninfected form instead of the actual, infected form. Thus
the virus's modifications may go undetected by antivirus programs.
However, in order to do this, the virus must be resident in memory when
the antivirus program is executed and *this* may be detected by an
antivirus program.
Example: The very first DOS virus, Brain, a boot-sector infector,
monitors physical disk I/O and re-directs any attempt to read a Brain-
infected boot sector to the disk area where the original boot sector is
stored. The next viruses to use this technique were the file infectors
Number of the Beast and Frodo (aka 4096, 4K).
Countermeasures: A "clean" system is needed so that no virus is present
to distort the results of system status checks. Thus the system should
be started from a trusted, clean, bootable diskette before any virus-
checking is attempted; this is "The Golden Rule of the Trade" (see G8
for help with making a clean boot disk and booting clean).
Continue to:
My Books
