What is a stealth virus and how does it work?
A stealth virus is a computer virus that uses various mechanisms to avoid detection by antivirus software. It takes its name from the term stealth, which describes an approach to doing something while avoiding notice.
Typically, a stealth virus can hide in a computing device's legitimate files, partitions or boot sectors without alerting the antivirus software or notifying the user of its presence. Once injected into a computer, the virus enables the attackers to operate and gain control over parts of the system or the entire system.
How a stealth virus works
A stealth virus is any virus that tries to avoid detection by antivirus software. However, viruses that escape notice, even if they're not specifically designed to do so, are also described as stealth viruses. This sometimes occurs because the virus is new or because users haven't updated their antivirus software to be able to detect the infection.
Stealth viruses aren't new. Brain, the first known virus to target IBM PCs, was a stealth virus that infected the boot sector of a floppy storage disk. Brain was created in Pakistan as an antipiracy measure in 1986.
A stealth virus has an intelligent architecture, making it hard to eliminate from a computer system. The virus is smart enough to rename itself and send copies to a different drive or location, evading detection by the system's antivirus software. The only way to remove it is to wipe the computer and rebuild it from scratch.
Booting a computer from a removable disk, such as a USB drive, prevents the stealth virus from running amok before the antivirus or antimalware software scans for malware. Sophisticated, up-to-date antivirus software can reduce the risk of infection or eradicate a virus. Stealth viruses harm enterprises. The average cost of a data breach from a stealth virus or other cyberattack is $4.4 million.

Types of stealth viruses
There are several types of stealth viruses. The most common are the following:
- Boot sector. These are named after the master boot record that they infect. By infecting the master boot record, the boot sector virus is active before the operating system loads, bypassing many digital defenses.
- Polymorphic. These modify their code with each infection, allowing them to evade signature-based virus detection.
- Rootkit-based. These embed themselves deep within a system file for long-term access.
- Encrypted. These use encryption techniques to mask their presence, decrypting themselves only during execution.
- Metamorphic. These completely rewrite their code to change their structure.
How a stealth virus infects a computer
A stealth virus usually enters the system via infected web links, malicious email attachments and third-party application downloads. The virus tricks the system to get past an antivirus program using two primary methods:
- Code modification. To avoid detection, the virus modifies every infected file's code and virus signature.
- Data encryption. The virus renders the affected file inaccessible or unreadable to the user by encrypting it and using a different encryption key for different files.
Typically, when an antivirus program runs, a stealth virus hides in memory and uses various tricks to conceal any changes it has made to files or boot records. It can maintain a copy of the original, uninfected data and monitor system activity. When a program attempts to access altered data, the virus redirects it to a storage area that maintains the original data.
An antivirus program should scan the computer's memory and other commonly targeted areas to find stealth viruses. But this isn't always successful, because viruses can be designed to hide from antivirus software. They do this by concealing the size of the file they have infected, moving away from the infected file, copying themselves to a different drive and replacing themselves with a clean file.
Common stealth virus attack issues
When a stealth virus infects a computer system, it lets attackers control a variety of system tasks. The following are some of the issues associated with stealth virus attacks:
- Sudden system crashes.
- A prolonged time to restart.
- Slow system performance.
- Appearance of unidentified icons on the computer screen.
- System turns on or off without user intervention.
- Security programs stop working.
- Issues with printing devices.

How stealth viruses avoid detection
A stealth virus can use several different techniques to evade detection. The most common include the following:
- Altering system files so antivirus programs can't distinguish between infected and legitimate code.
- Interfering with security and detection software by disabling or manipulating them.
- Encrypting or modifying code to avoid recognition by traditional antivirus methods.
- Hiding in system memory so it can operate without writing to disk.
- Intercepting and altering system requests that security tools make.
- Replicating and spreading so that the virus infects multiple systems.
Protecting devices against stealth viruses
The following are strategies to protect against a stealth virus:
Strong antivirus software. A comprehensive, up-to-date antivirus program recognizes and protects systems from stealth viruses and other malware, such as Trojans, worms, ransomware, spyware and adware. Modern antivirus programs use a virus signature strategy to detect and eliminate stealth virus threats. These signatures must be regularly updated to ensure the antivirus software can detect and eliminate new types of stealth viruses.
- Email security practices. Stealth viruses can enter a system via email and email attachments. Users shouldn't open emails or click on links in them if they're from an unknown source or look suspicious.
- Computing and search hygiene. It's important to avoid visiting unfamiliar websites and those that are known security risks. Ads on websites are a common source of viruses; ad blockers eliminate advertisements from appearing on webpages.
Real-life examples of stealth viruses
Stealth viruses have been active for several decades. The following are among the most famous:
- Brain was the first recorded use of a stealth virus, infecting the boot sector of floppy disks. It appeared in 1986 and is no longer an active threat.
- Chernobyl appeared in 1998 and is no longer a significant threat. It overwrote system firmware and caused massive data loss.
- FunLove was first seen in 1999 and continues to cause problems. It's a stealth virus that infects Windows systems, bypassing standard security measures and spreading through network contacts.
- Sality appeared in 2003 and continues to be a threat. It's a polymorphic virus that alters its code while disabling antivirus software.
- ZeroAccess came out in 2011; variations of the original virus continue to cause problems. It's a rootkit-enabled virus that hides deep within operating systems to create a botnet.
Stealth viruses are one of the most dangerous modern cybersecurity threats. Explore the top types of information security threats for IT teams.