Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: p1@arkham.wimsey.bc.ca (Rob Slade)
Newsgroups: comp.virus
Subject: Question About Stealth Viruses
Message-ID: <0007.9106031950.AA02037@ubu.cert.sei.cmu.edu>
Date: 31 May 91 23:50:10 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 26
Approved: krvw@sei.cmu.edu

76476.337@CompuServe.COM (Robert McClenon) writes:

> someone please explain exactly what "stealth" viruses are?  Is there a
> standard definition of what characteristics make a virus a "stealth"

There is *always* argument over terms in the computer virus field.

However, I think that most researchers would agree that "stealth" viri
are those which "trap" any reading of the disk, and hide themselves by
ensuring that the information given back to the screen (or calling
program) is only that of the original program, before infection.  This
means that stealth viri, while active, can avoid any kind of detection
mechanism that relies on reading the disk, such as file signature
checking, file size checking, checksum, CRC or other "image signature"
calculation and checking.

Generally, stelath viri can be detected by examination of system memory.
Exactly how, or the best way to do this, would be the subject of great
debate.  (Which I am not going to precipitate.)

=============
Vancouver          p1@arkham.wimsey.bc.ca   | "If you do buy a
Institute for      Robert_Slade@mtsg.sfu.ca |  computer, don't
Research into      (SUZY) INtegrity         |  turn it on."
User               Canada V7K 2G6           | Richards' 2nd Law
Security                                    | of Data Security