Stealth Viruses

A virus must change things in order to infect a system. In order to avoid detection, a virus will often take over system functions likely to spot it and use them to hide itself. A virus may or may not save the original of things it changes so using anti-virus software is handle viruses is always the safest option.

A virus, by its nature, has to modify something executable in order to become active when that executable is run. This might be a file, the boot sector, or partition sector (Master Boot Record); whatever it is, it has to change. Unless the virus takes over portions of the system in order to manage accesses to the changes it made, these changes will become visible and the virus will be exposed.

A stealth virus hides the modifications it makes. It does this by taking over the system functions which read files or system sectors and, when some other program requests information from portions of the disk the virus has changed, the virus reports back the correct (unchanged) information instead of what's really there (the virus). Of course, the virus must be resident in memory and active to do this.

Use of stealth is the major reason why most anti-virus programs operate best when the system is started (booted) from a known-clean floppy disk. When this happens, the virus does not gain control over the system and the changes and virus are immediately available to be seen and dealt with.

Important Note: Some viruses, when they infect, encrypt and hide the original information in the sector they infect. If you are infected, some people may advise you to use generic DOS commands (e.g., SYS and/or FDISK /MBR) to correct the problem. If you do this you run the risk of making matters much worse. Monkey, for example, encrypts the partition information and moves it. If you overwrite the virus with FDISK /MBR then you will no longer be able to see your hard disk as DOS will not recognize what's in the partition table and can't access the encrypted version without Monkey helping (anti-virus software knows how to get around this problem).


Never use undocumented commands (e.g., FDISK /MBR) to fix virus contamination. 
Always use an anti-virus package that can deal with the particular virus in question. 
Undocumented commands are undocumented for a reason!

Summary

In order to infect, a virus must change something.

A stealth virus takes over portions of the system to effectively hide the virus from casual (and not so casual) examination.

To better find stealth viruses be certain to cold boot from a known-clean (write protected) floppy disk and avoid generic DOS commands. Use anti-virus software to handle these viruses.