textfiles/virus/stealth.txt

             Elusive New Viruses Can Avoid Detection                       

By Dennis Flanders

While computer users nationwide took time to download anti- virus
software to detect the latest viral strains, someone was busy creating
the electronic version of the stealth bomber.  The "stealth" viruses are
the deadliest infection to date.

At one time the message "126 files scanned - No viruses detected"
would cause a sigh or relief.  Now it may mean "126 files scanned -
126 files infected."  Not only do these evasive new bugs elude
detection, they can turn your favorite scan program into a "typhoid
Mary."

Most viruses announce their presence by doing such obvious things as
consuming system resources, destroying files or causing distinctly
abnormal actions on the screen.  The stealth virus, on the other hand,
quietly sits in the computer's memory doing nasty things to your
system over a long period.

The 4096 virus is destructive to both data and executable files. 
Because the virus slowly cross-links files on the system's disk, it gives
little indication of its presence.  The cross-linking occurs so slowly that
it appears there is a hardware problem when it is the result of the
virus manipulating the FATs and changing the number of available
sectors.

Masquerading as hardware failures, stealth viruses can cause much
time and money to be wasted chasing the wrong problem and repairing
good equipment.  After finally discovering the virus the infected PC's
data and programs may be beyond recovery.  Often several generations
of backups will contain files contaminated or destroyed by the virus.

Currently 4096 and Joshi-B are the most prevalent of the stealth
viruses.  Once installed in memory, a typical stealth virus will
insinuate itself between DOS and the user.  It will protect itself by
filtering information passed between DOS and programs.

Whenever DOS opens a file, the virus will intercept the call and
manipulate the file.  If the opened file is not infected, it will become
infected.  If the file is infected the virus will make it appear to be
"clean" by removing itself.  Thus anti-viral scanners are unable to
detect its presence.

If the anti-viral software does not scan memory, the stealth virus will
go completely undetected.  In fact anti-viral programs will lie and
report that the PC is "clean" even as it becomes the primary vehicle for
infection.  Commonly used programs often become the primary source
for contamination. For instance, typing COPY or XCOPY will cause the
virus to infect both the original and the new files.      Viruses always
add code to the programs they infect.  For instance the 4096 virus will
increase the size of an infected file by 4096 bytes.  Stealth viruses also
manipulate commands such as DIR that report file lengths.  They will
subtract the length of the viral code from the file size before passing it
on to the requesting program, making it appear normal. 

Programs that depend on CRC checks to validate the existence of a
virus are not effective.  They perform their calculations on a "sanitized"
version of an infected program.  This causes the CRC to be correct. 

The only sure protection is prevention.  In the past genuine hardware
problems have been blamed on viruses.  We may now have come full
circle.  Genuine virus problems may be blamed on hardware glitches,
according to David Stang, chairman of the National Computer Security
Association.  Stang went on to say that the association's BBS (see
insert) has software and clear instructions for dealing with stealth
viruses. 

Insert: 
The National Computer Security Association 4401-A Connecticut Ave.
NW, Suite 309 Washington, DC  20008 202-364-8252 (Voice)
202-364-1304 (Data)