Stealth viruses or stealth viruses
Stealth viruses (Stealth) or invisible viruses are a type of resident viruses (reside in RAM). Stealth-viruses falsify information read from the disk so that the program for which this information is intended receives incorrect data. This technology, which is sometimes called Stealth technology, can be used both in BOOT viruses and in file viruses.
Stealth viruses are classified as masking viruses that are very difficult to detect.
Basics of Stealth Technology
The basis of the work of Stealth-viruses is the fact that the operating system when accessing peripheral devices (including hard drives) uses an interrupt mechanism. When an interrupt occurs, control is transferred to a special program, the interrupt handler. This program is responsible for the input and output of information to / from the peripheral device.
In such a system, the vulnerability is initially hidden: by controlling the interrupt handler, you can control the flow of information from the peripheral device to the user. Stealth viruses, in particular, use a control interception mechanism when an interrupt occurs. Replacing the original interrupt handler with their own code, stealth viruses monitor the reading of data from the disk.
If an infected program is being read from a disk, the virus “bites out” its own code (usually the code is not literally “bitten out”, but the number of the readable sector of the disk is changed). As a result, the user gets to read “clean” code. Thus, as long as the interrupt handler vector is changed by the virus code, the virus itself is active in the computer’s memory, it is impossible to detect it by simply reading the disk with the means of the operating system. A similar masking mechanism is used by boot viruses.
Types of Stealth viruses
All types of stealth viruses are known – boot viruses, DOS file viruses, and even macro viruses.
Boot stealth viruses use two basic methods to hide their code. The first of these is that the virus intercepts the commands for reading the infected sector (INT 13h) and substitutes the uninfected original instead. This method makes the virus invisible to any DOS-program, including antivirus, unable to “cure” the computer’s RAM. The basic idea is that, despite the fact that the file is infected, the data of the uninfected file (previously cured by the virus itself) is transferred into RAM.
Most of the file stealth viruses use the same methods as above: they either intercept DOS calls to the files (INT 21h) or temporarily cure the file when it is opened and infect it upon closing. As well as for boot viruses, there are file viruses that use interception of lower level interrupts for their stealth functions — calls to the DOS driver, INT 25h, and even INT 13h.
Implementing stealth algorithms in macro viruses is probably the easiest task – all you need to do is just to prohibit calling the File / Templates or Tools / Macro menu. This is achieved either by removing these menu items from the list, or by replacing them with FileTemplates and ToolsMacro macros. Partially stealth viruses can be called a small group of macro viruses that store their main code not in the macro itself, but in other areas of the document – in its variables or in Auto-text.
The most well-known Stealth viruses include viruses such as Exploit.Macro.Stealth, Exploit.MSWord.Stealth, Virus.DOS.Stealth.551.
Ways to fight Stealth viruses
In order to combat stealth viruses, it was previously recommended (and, in principle, it is recommended now) to perform an alternative system boot from a floppy disk and only after that to search and remove virus programs. Currently, booting from a floppy disk may be problematic (for the case of win32 anti-virus applications, they will not be able to run).
In view of the foregoing, polyphage antiviruses are most effective only when dealing with already known viruses, that is, with those whose signatures and behaviors are familiar to the developers. Only in this case, the virus with 100% accuracy will be detected and removed from the computer’s memory, and then from all scanned files. If the virus is unknown, it can quite successfully resist attempts to detect and treat it. Therefore, the main thing when using any polyphage is to update the program versions and virus databases as often as possible. For the convenience of users, databases are moved to a separate module, and, for example, AVP users can update these databases daily using the Internet.