Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!zaphod.mps.ohio-state.edu!maverick.ksu.ksu.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: MMCCUNE@sctnve.BITNET
Newsgroups: comp.virus
Subject: Detecting Stealth Virus (PC)
Message-ID: <0006.9010101940.AA05706@ubu.cert.sei.cmu.edu>
Date: 30 Sep 90 18:39:08 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 37
Approved: krvw@sei.cmu.edu

Here is a program that will detect stealth type viruses in memory. It
works on the 4096, and Fish-6. It should work on the Mother Fish
(Whale) also, since it uses the same method of redirecting the
interrupts. I wrote it for the shareware A86, but it should assemble
with MASM, TASM or WASM with minor modifications.

 ADD     [BX+SI],AL
 ADD     [BX+SI],AL
 ADD     [BX+SI],AL
 MOV AX,3521h
 INT 21h
 ES:
 CMP B[BX],0EAh
 JE FOUND
 MOV AH,9h
 LEA DX,NOT_FOUND_MESSAGE
 INT 21h
 INT 20h
 NOT_FOUND_MESSAGE:
 DB 'Stealth Virus not found in memory$'
 FOUND:
 MOV AH,9h
 LEA DX,FOUND_MESSAGE
 INT 21h
 INT 20h
 FOUND_MESSAGE:
 DB ' Stealth Virus active in memory $'

This program will not become infected by the 4096, although the Fish-6
and Mother Fish (Whale) will attack it easily (the 4096 thinks the
file is already infected).

Any comments and suggestions are appreciated. This program is free to
use by all private individual (others, please ask me first). I can be
reached on the Interlink and Fidonet virus conferences (as well as
Virus-L). My Bitnet address is MMCCUNE@SCTNVE. My next posting will
include a stealth virus remover...<MM>.