Spotting the Stealth Virus
By nature, a computer virus must modify something in the host system in order for it to become active. This may be a specific file, a boot sector, or a partition sector, more commonly known as a MBR (Master Boot Record). Regardless of what it is, it must be modified in some type of way. Unless the infection takes control of portions in the system to manage accesses to modifications that have been made, the changes will typically become visible, leaving the virus exposed. This very nature has led writers to design malicious codes that are for more elusive.
Understand the Stealth Virus
A stealth virus is one that conceals the changes it makes. This is done by taking control of system functions that interpret files or system sectors. When other applications request data from portions of the system modified by the virus, the infection reports back the accurate, unchanged data, instead of the malicious code. In order for this to occur, the virus must be actively present in the memory.
An example of a stealth infection is Brain, the very fist DOS virus. Brain is a system infector that begins by monitoring physical disks. It then redirects all attempts to read an infected sector to sections on the disk where the original, uninfected boot sector is located. Other viruses to follow this trend were Frodo and the Number of the Beast, two viruses classified as file infectors.
How the Stealth Virus Works
It is important to know that many viruses not only hide, but encrypt the original data they have infected. Some victims may use traditional DOS commands such as FDISK/MBR or SYS to fix the problem, an instance that could make things much worse. If the virus is overwritten with FDISK/MBR, the hard drive will have no way to recognize what's in the partition table and cannot access the encrypted data without aid of the virus. For this reason, anti-virus software is recommended to eradicate a stealth virus rather than self maintenance.
Virus coders mainly use the stealth approach to elude virus scanners. Those that have not been designed to do so, because the malicious code is fairly new or the user's anti-virus software isn't up to date, are often described as stealth viruses as well. The stealth technique is a contributing factor to why most anti-virus programs function best when the system is booted from a clean CD or floppy disk. By doing this, the infection is not able to seize control of the system and the changes it makes can be exposed and immediately dealt with.
In general, a stealth virus will hide itself in system memory every time a program scanner is run. It employs various techniques to hide any changes so that when the scanner looks for altered sections, the virus redirects it to any area that contains the clean, uninfected data. A more advanced anti-virus program can detect a stealth virus by searching for evidence of changes within system sectors along with areas that are more susceptible to attack, regardless of how it is booted.