Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: CHESS@YKTVMV.BITNET (David.M.Chess) Newsgroups: comp.virus Subject: 4096 (PC) Message-ID: <0001.9008101840.AA07688@ubu.cert.sei.cmu.edu> Date: 8 Aug 90 19:43:04 GMT Sender: Virus Discussion List Lines: 26 Approved: krvw@sei.cmu.edu Padgett Peterson : > I have been surprised to the the excitement caused by this virus. > Admittedly, it uses some "stealth" techniques to hide itself, but > the "stealth" itself should be detectable in memory. Yep, the 4096 is easily detectable in memory. I think the main cause for worry has been the feeling that there are lots of people out there who don't use virus scanners, and whose main hope of noticing an infection is noticing file lengths (or contents) changing, or programs malfunctioning. A "stealth" style virus with few bugs will tend to be less noticeable by those means than a non-stealthy one. I definitely agree, though, that for users who have a good virus-scanning program, the 4096 is no more worrisome than a comparable non-stealthy virus would be. DC P.S. Detecting a virus in memory is a little more prone to false alarms than detecting one in files, because after an infected system has been cleaned up the virus signature may still make it into memory, because it is still in the "cluster gas" somewhere on the disk, and may get loaded into unused parts of disk buffers or whatever.