Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!

OneHalf

From Malware Wiki
Jump to: navigation, search
OneHalf
Image
Type Virus
Creator Vyvojar
Date October 1994
Origin Slovakia
Programming Language Assembly
Platform MS-DOS
Filetype *DOS executable (.COM)
  • MZ executable (.EXE)
Alias(es) *Slovak Bomber
  • Freelove
  • Explosion-II
Impact {{{length}}}
Size 3,544 Bytes
Damage costs {{{cost}}}
MD5 d5be39c64144e372fb8218d3a1c4ab85
SHA1 d28b0260a6ced8e5d64f3dd727f8f48a29e1b516
CRC32 {{{crc32}}}
SHA256 a794ebc2aa7639a82a873efa2906da18c0a702857049aae32ac086590db61141
SSDEEP 96:9LUuXWNv0coHJTAInd9Hph1rM6TMvBGWK:9Ljm+cKTAIrJLM6TMvBU
Authentihash {{{authenti}}}
IMPhash {{{imp}}}
Vhash 96:9LUuXWNv0coHJTAInd9Hph1rM6TMvBGWK:9Ljm+cKTAIrJLM6TMvBU

OneHalf, also known as Slovak Bomber, Freelove and Explosion-II<ref>http://www.f-secure.com/v-descs/one_half.shtml</ref> is a polymorphic boot virus found on DOS.

Behavior

The virus infects the master boot record of the hard disk and executables. It ignores files with filenames that contain any of the following strings:

SCAN CLEAN FINDVIRU GUARD NOD VSAFE MSAV CHKDSK

Every time the user boots or reboots the computer, the virus loads and encrypts last two unencrypted cylinders. The encryption is done by bitwise XOR operation by a randomly generated key, which the decryption is to perform the same operation with the same key again.

On the access to these encrypted cylinders, the virus decrypts them so that the user will not notice their files being encrypted.

Payload

When the number of encrypted cylinders reaches the half of that in total and the system day is 4th, 8th, 10th, 14th, 18th, 20th, 24th, 28th and 30th in any month, the virus displays the message when the computer boots:

Dis is one half.
Press any key to continue ...

Removal

Delete the infected files and replace the MBR.

Other details

Careless disinfection will result in data loss. Since the virus holds the keys for accessing these encrypted cylinders, removing the virus without decrypting them may end up in the user keeping their infected files encrypted permanently.

It is also known as one of the first viruses to implement a technique of "patchy infection", introduced in Bomber.

This virus may be detected and infected by another virus, SSR.

References

<references />

Media

File:Virus.DOS.OneHalf
Onehalf virus review by danooct1