A STEALTH virus is one that, while "active", hides the modifications it has made to files or boot records. This is usually achieved by monitoring the system functions used to read files or sectors from storage media and forging the results of calls to such functions. This means programs that try to read infected files or sectors see the original, uninfected form instead of the actual, infected form. Thus the virus's modifications may go undetected by antivirus programs. However, in order to do this, the virus must be resident in memory when the antivirus program is executed and *this* may be detected by an antivirus program. Example: The very first DOS virus, Brain, a boot-sector infector, monitors physical disk I/O and re-directs any attempt to read a Brain- infected boot sector to the disk area where the original boot sector is stored. The next viruses to use this technique were the file infectors Number of the Beast and Frodo (aka 4096, 4K). Countermeasures: A "clean" system is needed so that no virus is present to distort the results of system status checks. Thus the system should be started from a trusted, clean, bootable diskette before any virus- checking is attempted; this is "The Golden Rule of the Trade" (see G8 for help with making a clean boot disk and booting clean).
|
|
|
|
|
|
|
|