Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!think.com!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: frisk@rhi.hi.is (Fridrik Skulason) Newsgroups: comp.virus Subject: Re: Question About Stealth Viruses Message-ID: <0009.9105301427.AA10625@ubu.cert.sei.cmu.edu> Date: 29 May 91 21:34:02 GMT Sender: Virus Discussion List Lines: 38 Approved: krvw@sei.cmu.edu 76476.337@CompuServe.COM (Robert McClenon) writes: > I have a question, or probably a series of related questions. Can >someone please explain exactly what "stealth" viruses are? Is there a >standard definition of what characteristics make a virus a "stealth" >virus? To qualify as a "stealth" virus a virus must: A) Make any increase in file length disappear when a user checks an infected file while the virus is active. Viruses which do not change infected files ("companion viruses") are not included, nor are overwriting viruses. The "Number of the beast" virus is considered to be a stealth virus. B) Intercept any operation to read from an infected file or an infected boot sector, and make the virus code "disappear" by returning the original program. Whether this is done by actually disinfecting programs when they are opened for reading, or just by modifying the read buffers is irrelevant. According to this definition, "Brain" is a stealth virus, for example. > I have read that they delete themselves from the hard disk and hide in > memory when they are active. Totally incorrect. Some "stealth" viruses disinfect programs when they are read, so it is possible to remove them by simply giving a command like COPY *.* NUL: in every directory containing executable files, but this is certainly not an universal solution. - -frisk Fridrik Skulason Technical Editor of the Virus Bulletin (UK) (author of F-PROT) E-Mail: frisk@rhi.hi.is Fax: 354-1-28801