To understand how malware hides, you have to understand what it is.
A Virus is a man-made program (small bits of programming code disguised as something else or buried in other codes) that causes an unexpected and usually undesirable event. A virus can replicate itself and is designed to automatically spread to other computer users.
A Trojan is a destructive stand-alone application that masquerades as a benign program and hides a "nasty surprise" within the original source code. The surprise is a process or function specifically added by the Trojan's programmer that performs an activity the user is unaware of. The malicious code is contained within the source code of an apparently harmless program in such a way that it can gain control and do its chosen form of damage. Trojans are executable programs (.exe, .vbs, .com, .bat, etc) which means that when you open the file, they will perform some action.
A Worm is a a self-supporting program (parasite) considered to be part of the viral camp because they replicate and spread from computer to computer. As with viruses, a worm's malicious act is often the very act of replication; they can overwhelm computer infrastructures by generating massive numbers of e-mails or requests for connections that servers can't handle. Worms differ from viruses in that they are not just bits of code that exist in other files. They can be whole files. In addition, they replicate without the need for another program to be run.
Spyware is usually non-viral and is a generic term for unsolicited commercial software or parasites that is installed without the user's full knowledge, consent, and understanding and that primarily serves the interests of commercial parties associated with the software, not the end users on whose systems those unwanted applications are installed.
RATS (Remote administration Trojans) are pieces of malicious software that let intruders remotely control computers across a network or through the Internet. They are programs that masquerade as one thing when in fact they are something else. The purpose of these programs is not replication, but to penetrate and control. RATs install themselves by exploiting weaknesses in standard programs and browsers. Once they reside on a computer, RATs are hard to detect and remove. They usually operate in the background and do not appear in the Task Manager list.
Nefarious RATs are designed to install themselves in such a way that they are very difficult to remove even after discovery. A variant of the Back Orifice RAT called G_Door installs its server as Kernel32.exe in the Windows system directory, where it's active and locked and controls the registry keys. The active Kernel32.exe cannot be removed, and a reboot will not clear the registry keys. Every time an infected computer starts, Kernel32.exe will be restarted, and the program will be active and locked. Other variants of Back Orifice include Netbus, SubSeven, Bionet and Hack'a'tack. These RATs tend to be families more than single programs. They are morphed by hackers into a vast array of Trojans with similar capabilities. The ability of RAT servers to initiate connections can also allow some of them to evade firewalls.
Alternate Data Streams (ADS) provides a method of hiding root kits or hacker tools on a breached system and allows them to be executed without being detectedr. ADS have come to be used legitimately by a variety of programs, including native Windows operating system to store file information such as attributes and temporary storage. Files with an ADS are almost impossible to detect using native file browsing techniques like command line or windows explorer. Once injected, the ADS can be executed by using traditional commands like type, or start or be scripted inside typical scripting languages like VB or Perl. When launched, the ADS executable will appear to run as the original file - looking undetectable to process viewers like Windows Task Manager. Using this method, it is not only possible to hide a file, but to also hide the execution of an illegitimate process.
Thus malware can hide in any number of places on your system using a number of techniques. Some use Trojan Horses/rootkits to hide themselves while others masquerade as legit files or services. Some malware types can modify the registry and/or the OS to hide and embed itself.
For places that viruses and trojans hide, see: http://www.governmentsecurity.org/articles...deonstartup.php
Rootkits are a new generation of powerful system-monitoring programs that are almost impossible to detect using current security products. Rootkits are not an infection or a trojan in and of themselves. They are used by trojans and software vendors to conceal their presence. Thus a rootkit's purpose is to hide itself and other software from view to prevent a user from identifying and potentially removing an attacker's software. Several Windows-specific rootkits have appeared in the past couple of years. They tend to be bundled with the most dangerous kinds of malware, such as keystroke-logging tools that steal passwords. "Hacker Defender," "FU" and "Vanquish," are examples.
There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode. Explaining what they are and how they work can be complicated so I will refer you to the following links:
Windows rootkits in 2005, Part 1 of 3 [2005-11-04]http://www.securityfocus.com/infocus/1850
Windows rootkits of 2005, Part 2 of 3 [2005-11-17]http://www.securityfocus.com/infocus/1851
Windows rootkits of 2005, Part 3 of 3 [2006-01-05]http://www.securityfocus.com/infocus/1854