Path: utzoo!attcan!uunet!wuarchive!zaphod.mps.ohio-state.edu!uwm.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: mweiner@bene.at (Michael Weiner)
Newsgroups: comp.virus
Subject: Re: Stealth viruses
Message-ID: <0006.9008151251.AA12488@ubu.cert.sei.cmu.edu>
Date: 14 Aug 90 17:36:48 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 33
Approved: krvw@sei.cmu.edu

frisk wrote:
 > I never proposed this - what I said was simply "viruses that
 > attempt to hide
 > from detection, using a variety of methods".  The methods may
 > include:
 >
 >         Disinfecting the file when it is read (4096 method)
 >
 >         Redirecting INT 13H and/or INT 21H, so the file will
 >         appear to be
 >         unchanged when read.
 >
 >         Redirecting INT 13, so the boot sector appears
 >         unchanged, while the
 >         virus is active in memory (Brain)

INT 40h should definitely be included, it might also become necessary
to check INT 0Dh and INT 0Eh at some point in the future.

 > Stealth: Any malicious code that vanishes or appears to vanish
 > from the infected media, while it is active in memory.

I would like to add: [...] under certain trigger conditions.

Something else: Does anyone know of a virus scanner that examines high
memory (as used by 386max and similar utilities) for "stealth-type"
viruses ?

Michael Weiner

+-----------------+-----------------------------------------------------+
I mweiner@bene.at I Michael Weiner, Ghelengasse 4, A-1130 Wien, Austria I
+-----------------+-----------------------------------------------------+