312-50V11 · Question #164
Which of the following viruses tries to hide from anti-virus programs by actively altering and corrupting the chosen service call interruptions when they are being run?
The correct answer is A. Stealth virus. A stealth virus conceals itself from antivirus software by intercepting and modifying OS interrupt service calls at runtime, returning falsified clean data to any scanner that queries the affected files or sectors.
Question
Which of the following viruses tries to hide from anti-virus programs by actively altering and corrupting the chosen service call interruptions when they are being run?
Options
- AStealth virus
- BTunneling virus
- CCavity virus
- DPolymorphic virus
How the community answered
(16 responses)- A94% (15)
- D6% (1)
Why each option
A stealth virus conceals itself from antivirus software by intercepting and modifying OS interrupt service calls at runtime, returning falsified clean data to any scanner that queries the affected files or sectors.
Stealth viruses hook low-level OS interrupt calls (such as INT 13h for disk I/O) and alter the data returned during those calls so that antivirus programs receive a clean, uninfected view of files or boot sectors, actively corrupting the interrupt response while the system is running.
A tunneling virus installs itself beneath the OS to intercept interrupt calls at a hardware or BIOS level before AV hooks can monitor them, which is a different evasion approach than altering in-progress runtime call responses.
A cavity virus hides by inserting its code into unused gaps within an executable file without increasing file size, not by manipulating system call interrupts.
A polymorphic virus evades signature-based detection by mutating its own code and encryption routine with each replication cycle, rather than intercepting or altering OS service calls.
Concept tested: Stealth virus OS interrupt interception and evasion
Source: https://www.trendmicro.com/vinfo/us/security/definition/stealth-virus
Topics
Community Discussion
No community discussion yet for this question.