Stealth is basically acting in a covert way.
As discussed previously. there could be three main kinds of stealth:
- Size Stealth
- Full Stealth
- Redirection Stealth
In this case the Malware fakes the actual change in size of an infected file. What is done in the background :
- Saves and only shows true file size
- This can be done in a setting on the machine e.g. in registry or through fake checksums and byte sizes.
Malware disinfects a host file on open or infects it again on close depending on nature. The sequences in this vary based on nature and for reference to actions mentioned see about MSDOS API. To Download MSDOS Source.
Disinfect On Open
– Create a false INT 21h (Random read) call to intercept the 3DH (Open file) or 6Ch (Open File) functions . These two are interrupted to ensure the same file isn’t opened in compatibility mode.
– Check if the file that is being opened is a COM or EXE
– Open file for reading and writing
– Check if file is infected or clean
– If not infected exit
– Save the file’s time & date
– Read the original bytes in memory
– Write the original code
– Restore file size
– Subtract the length of our virus
– Restore original year
– Truncate the fileClose the file
Re-Infect on File Close
– Create a False an INT 21h (Random read) call to intercept the 3EH (close File) function i.e. stop closing
– Check if file is infected
– If the file is infected close the file
– Save file time, date & size
– Write the payload to file
– Set old file’s time/date
– Mark the file for stealth
This can be considered to be some form of byte level transposition where the virus reads the infected bytes and maps them to the uninfected bytes in the host file which dupes the antivirus into thinking the file is clean.