Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!think.com!zaphod.mps.ohio-state.edu!pacific.mps.ohio-state.edu!linac!att!news.cs.indiana.edu!widener!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Newsgroups: comp.virus Subject: Question About Stealth Viruses Message-ID: <0012.9105291438.AA09086@ubu.cert.sei.cmu.edu> Date: 28 May 91 21:11:07 GMT Sender: Virus Discussion List Lines: 24 Approved: krvw@sei.cmu.edu >From: "Robert McClenon" <76476.337@CompuServe.COM> "STEALTH" is a buzzword used to denote any virus that attempts to hide itself from observation by intecepting calls that might be used to detect the virus and instead provides returns indicative of a clean system. The first "stealth" virus was also the first PC virus, the Pakistani BRAIN. On activation, it would go resident in memory, intecepting calls to the floppy disk. If the boot sector of an infected floppy was requested, it would return instead the real boot sector code that had been stored elsewhere on the disk. As far as I know, the firt time the word "stealth" was applied to a virus was to the 4096, a file infector that, when resident would intercept all calls for infected files, strip the viral code off, and return the original uninfected file to DOS so that signature scanners could be thwarted. Very quickly scanner authors added memory checking mechanisms to reveal these activities. The vulnerability is that for a "stealth" virus to be active, it must become resident and intercept calls that would reveal its presence. This residence is detectable, usually with nothing more complex than CHKDSK, if the user knows the meaning of the returns. Memorize: "655360 total bytes memory".