Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!usc!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: frisk@rhi.hi.is (Fridrik Skulason) Newsgroups: comp.virus Subject: Re: Stealth viruses Message-ID: <0008.9008141517.AA11481@ubu.cert.sei.cmu.edu> Date: 14 Aug 90 12:20:36 GMT Sender: Virus Discussion List Lines: 38 Approved: krvw@sei.cmu.edu > (zmudzinski, thomas) writes: >Agree that "Stealth" has become a class of virus. However, I suggest >limiting it to those viruses that use the technique of disinfecting >their prey (either on disk or in memory). > >Reason: Clarity. A virus that "hides" by counter-attacking the virus >detection software (making it lie about infections) is not of the same >class as a disinfector. I never proposed this - what I said was simply "viruses that attempt to hide from detection, using a variety of methods". The methods may include: Disinfecting the file when it is read (4096 method) Redirecting INT 13H and/or INT 21H, so the file will appear to be unchanged when read. Redirecting INT 13, so the boot sector appears unchanged, while the virus is active in memory (Brain) and possibly the method used by TPVIR and AIDS II, where the original program does not change, and the user is unaware that he is, in fact, executing the virus instead of the program he intends to execute. >Stealth - (adj) Any malicious code that "hides" from detection by >erasing itself from its carrier. "erasing itself" is not 100% clear, I think. What about: Stealth: Any malicious code that vanishes or appears to vanish from the infected media, while it is active in memory. - -frisk - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 |