Stealth viruses or invisible viruses

Stealth viruses or invisible viruses are resident types of viruses (residing in RAM). Stealth viruses falsify information read from the disk so that the program for which it is intended receives incorrect data.


Stealth viruses belong to the category of masking viruses that are very difficult to detect.


Fundamentals of Stealth Technology


At the heart of Stealth, viruses are the fact that the operating system uses an interrupt mechanism when accessing peripheral devices (including hard disks). When an interruption occurs, the control is directed to a special interrupt handler program. This program is responsible for input and output data to/from a peripheral device.


Such a system initially also has a vulnerability: managing the interrupt handler can control the flow of information from the peripheral device to the user. Stealth viruses, in particular, use the control mechanism in the event of an interruption. By replacing the original interrupt handler with their code, they control the read of the disk data.


When an infected program is read from the disk, the virus “bites” its code (usually the code is not eaten, but instead replaces the read sector number of the disk). As a result, the user gets a clean code to read. Thus, while the vector of the interrupt handler is modified by a virus code, the virus itself is active in the memory of the computer, it is impossible to detect by simply reading the disk with the means of the operating system.

Ways to deal with Stealth viruses


To combat these viruses, it was previously recommended (in principle, it is now recommended) to apply an alternative boot to the hard disk drive and then only search and remove the virus programs. Hard disk booting can be difficult right now (you won’t be able to run it in the case of win32 antivirus applications).


Given the above, antivirus software is only effective in combating already known viruses, ie. with those whose signatures and behaviours are familiar to developers. Only in this case will the virus 100% be detected and removed from the computer’s memory and then from all scanned files. If the virus is unknown, it can successfully counteract detection and removal attempts.


Therefore, when using any antivirus software, it is important to update the versions of programs and virus databases more frequently. For the convenience of users, the database is exported to a separate module, for example, AVP users can update the database daily through the Internet.

Tags: ,