FRISK Software International


Summary of One_Half
Alias:Onehalf, Slovak Bomber, Explosion-II, Freelove
Length: 3544
Infectable objects: Hard disk MBRs and COM and EXE files
Discovered: 1 May 1994
 
Jump to:
Brief description
Technical description

Brief Description
One_Half, which is also known as Slovak Bomber, Freelove or Explosion-II, was first discovered in May 1994. The virus has been found both in USA and Europe. One_Half is a destructive virus: its removal may cause files to be damaged.


Technical Description
One_Half is a multipartite virus. It infects hard disk MBRs and COM and EXE files. Infected files grow by 3544 bytes. The virus is also polymorphic, so its appearance changes between every infection. One_Half attempts to infect COM and EXE files only on floppy (and possibly network) drives.

Besides the aforementioned features, One_Half employs stealth virus techniques. When the MBR of an infected hard disk is examined, the virus shows the original contents of the MBR. It makes the other sectors on the zero track seem empty, although in truth they contain a part of the virus code and the original MBR.

The following, unencrypted texts can be found inside the viruse's code:


        Dis is one half.
        Press any key to continue ...
        Did you leave the room ?
The virus also contains the names of many anti-virus products:


        SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE, MSAV
One_Half is a destructive virus. Every time an infected computer is booted, the virus encrypts the last two unencrypted cylinders on the hard disk. This way, the encrypted area slowly creeps toward the disk's beginning. When information is retrieved from the encrypted area, the virus decrypts it on the way, so the user doesn't notice anything out of the ordinary.

Do note that the stealth routines of the virus do not work correctly under Windows 95, and the encryption is directly visible.

The encrypted information stays encrypted while the virus is not resident, so the true nature of things is revealed only after the computer is booted from a diskette or after the virus is removed. If One_Half is removed from a hard disk's MBR without first making a backup copy of the computer's data, it is almost impossible to restore the encrypted information on the hard disk; the virus stores both the encryption key and information about the location and extent of the encrypted area inside its own code in the MBR.

There are at least two more variants, 3577 and 3518 bytes in size.


[Analysis: Mikko Hypponen, F-Secure]
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is