Stealth describes a number of techniques for a virus to evade detection. The term is used in virus research primarily to describe viruses that, often while in memory, manipulate data returned to a program trying to analyze it. Stealth viruses came pretty early in the history of self-replicating programs.
The first boot sector virus for IBM compatibles, Brain had stealth capability. When an attempt is made to examine the boot sector, it redirects whatever program is reading it to the copy of the boot sector the virus has stored.
The Frodo virus modifies interrupt 21h or 33d so when it is used to read or write files, it only shows the disinfected part. It also hides the fact that a file has grown larger with the infection by hooking the DOS "DIR" command to show the size of the file -4096 bytes (the size of the Frodo infection).
Stealth Viruses
Here is a non-exhaustive list of viruses known to have some form of stealth capability:
- DOS/Beast
- Linux/Bliss
- DOS-Boot/Brain
- DOS/Byway
- Win32/Cabanas
- MSWord/Class
- Com64/BHP
- DOS-Boot/Crazyboot
- DOS/Eddie
- DOS-Boot/Exebug
- DOS/Frodo
- Win95/HPS
- DOS/Natas
- DOS/Onehalf
- Win95/Sma
- Win95/Smash
- DOS/Starship
- DOS-Boot/Strange
- Multi/Tequila
- DOS/Whale
Sources
Peter Szor. The Art of Computer Virus Research and Defense, Chapter 5 Classification of In-Memory Strategies, 5.2.5 Stealth Viruses, pp. 199-209. Addison Wesley, Symantec Press: Upper Saddle River, NJ, 2005. ISBN: 0321304543