Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!wuarchive!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: HLIN@NAS.BITNET (Herbert Lin)
Newsgroups: comp.virus
Subject: stealth viruses..
Message-ID: <0002.9011191418.AA28547@ubu.cert.sei.cmu.edu>
Date: 15 Nov 90 21:35:00 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 19
Approved: krvw@sei.cmu.edu

In a recent msg, someone said that a "stealth" virus could evade
checksum and CRC checks.  Can anyone tell me how this is done?
Wouldn't the author of the virus have to know the checksum/CRC
technique being used in detail?  Without specific knowledge of the
polynomial being used, what could the virus author do?

I can imagine that certain values wouldn't contribute to the checksum,
but if you make the original size of the file part of the check, then
adding those special values will change the file size, and render it
detectable.

In short, it seems that if I am willing to give up the detection of
virus propagation in real-time, I should be able to detect viruses ALL
THE TIME (of course, if and only if I have a confirmed clean system to
begin with).

what am I missing?

herb