Tunnelling Viruses

Some viruses will attempt to tunnel under anti-virus monitoring programs in order to bypass their monitoring functions.

One method of virus detection is an interception program which sits in the background looking for specific actions that might signify the presence of a virus. To do this it must intercept interrupts and monitor what's going on. A tunnelling virus attempts to backtrack down the interrupt chain in order to get directly to the DOS and BIOS interrupt handlers. The virus then installs itself underneath everything, including the interception program. Some anti-virus programs will attempt to detect this and then reinstall themselves under the virus. This might cause an interrupt war between the anti-virus program and the virus and result in problems on your system.

Some anti-virus scanners also use tunnelling techniques to bypass any viruses that might be active in memory when they load.

Summary

A tunnelling virus attempts to bypass activity monitor anti-virus programs by following the interrupt chain back down to the basic DOS or BIOS interrupt handlers and then installing itself.