Virus Detection avoidance Techniques

Viral programs have almost no defense at all againstdisinfection. 99% of virus are almost trivially simple to getrid of, simply by replacing the "infected" file (or boot sector)with an original copy. (Some more recent boot sector and systemvirus require slightly more knowledge in order to performeffective disinfection: none require drastic measures.) Farfrom their image as the predators of the computer world, viralprograms behave much more like prey. Their survival isdependant upon two primary factors: reproductive ability andavoidance of detection. Using the standard system calls to modify a file leaves verydefinite traces. The change in a file "creation" or "lastmodified" date is probably more noticeable than a growth in filesize. File size is rather meaningless, whereas dates and timesdo have significance for users. Changing the date back to itsoriginal value, however, is not a significant programmingchallenge. Adding code while avoiding a change in file size is moredifficult, but not impossible.
Overwriting existing code andadding code to "unused" portions of the file or disk are somepossible means. (The fictional rogue program P1, in ThomasRyan's "The Adolescence of P1", avoided problems of detection byanalyzing and rewriting existing code in such a manner that theprograms were more compact and ran more efficiently. Suchactivity has not yet, alas, been discovered in any existingvirus.) Some viral programs, or rather, virus authors, rely onpsychological factors. There are a number of examples of viruswhich will not infect program files under a certain minimumsize, knowing that an additional 2K is much more noticeable on a5K utility than on a 300K spreadsheet.
In a sense these are all "stealth" technologies, but this termis most often used for programs which attempt to avoid detectionby trapping calls to read the disk and "lying" to theinterrogating program. By so doing, they avoid any kind ofdetection which relies upon perusal of the disk. The disk givesback only that information regarding file dates, sizes andmakeup which were appropriate to the original situation. (Thisalso relies upon the virus being "active" at the time ofchecking.)
Although this method avoids any kind of "disk"detection, including check summing and signature scanning, itleaves traces in the computer's memory which can be detected. (Some viral programs also try to "cover their tracks" bywatching for any analysis of the area they occupy in memory andcrashing the system, but this tends to be noticeable behavior... )FUNGENA.CVP 911202