Anti-STEALTH V2.10

This program allows you to search for stealth viruses. Stealth viruses are viruses that try to hide themselves. Most modern and successful viruses are stealth viruses. If a stealth virus attacks a file, and expands it by 500 bytes, after dir you will not see that change - the virus is hidden. This is dangerous because most antivirus programs are not able to find them if they don't know them. And if the virus is new, no antivirus program knows it!

How does it work? Anti-STEALTH reads each file's size twice (or 3 times, depending on the options.) The first time it behaves like a conventional DOS application (like dir). The second time it reads the true size (through Int 13h and directly through IDE) of that file. If they differ, a virus is there, and you know what to fight against.

This means that a virus can be detected only if it is already active in memory and if some files on the hard drive are infected. Therefore, you cannot check floppies using Anti-STEALTH.

This also means that if the virus is able to compress a file (so it can keep its original size), it may not be detected. Fortunately, most viruses are not able to do that -- virus OneHalf is exception, but it will be detected, too.

By default, Anti-STEALTH uses only FindFirst to scan for files by DOS (you can disable this by /F-). You can force it to open every file and get its size by option /O+, but it may be dangerous, because some viruses infect every opened file. You also may want to disable reading through IDE (compatibility reasons), use switch /I- in this case. You need to use /I- if you hard disk is SCSI.

Reading through IDE is safe; it's extremely hard to intercept it (QEMM is powerful enough to intercept it, but QEMM386.sys has 234KB -- and a 234KB virus would be probably too big to be efficient.) In this version it's done only on first track - it's because many users experienced false alarms. I believe that it's still safe, because it would be hard for file virus to hide by intercepting Int13. You can turn this of using /W+.

Final note: If AntiSTEALTH finds a problem, it will wait for you to press a key so it's safe to run from batch files.

Compatibility

This program expects C: to be the first partition of first hard disk, D: the second partition of first hard disk... Therefore, it cannot check a second phusical harddrive and it will not work with drives swapped by DoubleSpace or Stacker. It's not a problem to correct this; please contact me if it is problem for you.

When Astealth is reading through IDE, any access to disk (caused by write-back cache) can result problems. Please disable all write-back caches (or turn them write-through) and do not let any resident program access hard drive. This also means that you should not read disks through IDE while in multitasking environments.

Microsoft says that this program is not compatible with their 32-bit disk access techniques, so don't use this under Windows. (Anyway, any program scanning for viruses under Windows is *very* unreliable, because if the virus were clever enough, it could bypass anything easily.)

Revision history:
2.10 Added /D+ option to force Diagnostics mode
     Now only first track of harddrive is read through IDE by default
2.00 Added reading directly through IDE, which is SAFE
1.00 First version, had bug causing it to work only under limited number of
     bioses
1.01 Bug has been corected
Shareware

This program is shareware, please register after 21-days testing period. Registration fee is $5 (or 50Kc for people from Czech/Slovak republic). Please send me e-mail or letter before/after you send money (for safety reasons).

My adress:
           Pavel MACHEK
           Volkova 1131
    198 00 Praha 9
           Czech republic

My phone:  +42-2-866 233
My e-mail: machek@k332.feld.cvut.cz