Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!zaphod.mps.ohio-state.edu!ub!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: zmudzinskit@imo-uvax.dca.mil (zmudzinski, thomas)
Newsgroups: comp.virus
Subject: Stealth viruses
Message-ID: <0001.9008131823.AA10141@ubu.cert.sei.cmu.edu>
Date: 7 Aug 90 21:15:00 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 28
Approved: krvw@sei.cmu.edu

>From Virus-L V3 #138

> "Stealth" virus
>
> I have seen the name "Stealth" used for 4 different viruses, 4096
> (Frodo, IDF) and 1260, as well as two of the Bulgarian viruses.  This is
> too confusing, so what I propose (and what I will do in version 1.13 of
> F-PROT) is to use "Stealth" to refer to a class of viruses - the viruses
> that attempt to hide from detection, using a variety of methods.
> Comments, anybody ?

Agree that "Stealth" has become a class of virus.  However, I suggest
limiting it to those viruses that use the technique of disinfecting
their prey (either on disk or in memory).

Reason: Clarity.  A virus that "hides" by counter-attacking the virus
detection software (making it lie about infections) is not of the same
class as a disinfector.  Theoretically, it should always be possible
to use the "stealth" code to recover the infected programs.

I propose the following definition:

Stealth - (adj) Any malicious code that "hides" from detection by
erasing itself from its carrier.

/s/
Tom Zmudzinski
ZmudzinskiT@imo-uvax.dca.mil