This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.
Stealth, polymorphic, and armored viruses use techniques tomake it more difficult for virus detection programs to identify them.The descriptions below outline the strategies that these viruses use.
Note: This information is from thevirus-L/comp.virus FAQ. You can view theentire document at:
http://www.faqs.org/faqs/by-newsgroup/comp/comp.virus.html
What is a stealth virus?
Stealth viruses
A stealth virus is one that, while active, hides the modifications ithas made to files or boot records. It usually achieves this bymonitoring the system functions used to read files or sectors fromstorage media and forging the results of calls to such functions. Thismeans that programs that try to read infected files or sectors see theoriginal, uninfected form instead of the actual, infected form. Thusthe virus's modifications may go undetected by antivirusprograms. However, in order to do this, the virus must be resident inmemory when the antivirus program is executed, and theantivirus program may be able to detect its presence.
The very first DOS virus, Brain, a boot-sector infector,monitored physical disk input/output and redirected any attempt to reada Brain-infected boot sector to the disk area where the original bootsector was stored.
File stealth viruses
In addition to hiding the boot information, file stealth virusesattack .com and .exe files when opened orcopied, and hide the file size changes from the DIR command. The majorproblem arises when you try to use the CHKDSK/F command and thereappears to be a difference in the reported files size and the apparentsize. CHKDSK assumes this is the result of some cross-linked files andattempts to repair the damage. The result is the destruction of thefiles involved.
Full stealth viruses
With a full stealth virus, all normal calls to filelocations are cached, while the virus subtracts its own length so thatthe system appears clean.
Countermeasures
You need a clean system so that no virus is present to distort theresults of system status checks. Thus you should start the system froma trusted, clean, bootable diskette before you attempt anyvirus checking.
What is a polymorphic virus?
A polymorphic virus is one that produces varied but operational copiesof itself. This strategy assumes that virus scanners will not be ableto detect all instances of the virus. One method of evadingscan-string driven virus detectors is self-encryption with a variablekey.
More sophisticated polymorphic viruses (e.g., V2P6) vary the sequencesof instructions in their variants by interspersing the decryptioninstructions with "noise" instructions (e.g., a No Operationinstruction, or an instruction to load a currently unused registerwith an arbitrary value), by interchanging mutually independentinstructions, or even by using various instruction sequences withidentical net effects (e.g., Subtract A from A, and Move 0 to A). Asimple-minded, scan-string based virus scanner would not be able toreliably identify all variants of this sort of virus; in this case, asophisticated scanning engine has to be constructed after thoroughresearch into the particular virus.
One of the most sophisticated forms of polymorphism used so far is theMutation Engine (MtE), which comes in the form of an objectmodule. With the Mutation Engine, any virus can be made polymorphic byadding certain calls to its assembler source code and linking to themutation-engine and random-number generator modules.
The advent of polymorphic viruses has rendered virus scanning anincreasingly difficult and expensive endeavor; adding more and moresearch strings to simple scanners will not adequately deal with theseviruses.
What is an armored virus?
Armored viruses use special tricks to make the tracing, disassembling,and understanding of their code more difficult. A good example is theWhale virus.
