Classification

Category :

Malware

Type :

-

Aliases :

One_Half, Onehalf, Slovak Bomber, Explosion-II, Freelove

Summary

One_Half, which is also known as Slovak Bomber, Freelove or Explosion-II, was first discovered in May 1994. The virus has been found both in USA and Europe. One_Half is a destructive virus: its removal may cause files to be damaged.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

One_Half is a multipartite virus. It infects hard disk MBRs and COM and EXE files. Infected files grow by 3544 bytes. The virus is also polymorphic, so its appearance changes between every infection. One_Half attempts to infect COM and EXE files only on floppy (and possibly network) drives.

Besides the aforementioned features, One_Half employs stealth virus techniques. When the MBR of an infected hard disk is examined, the virus shows the original contents of the MBR. It makes the other sectors on the zero track seem empty, although in truth they contain a part of the virus code and the original MBR.

The following, unencrypted texts can be found inside the viruse's code:

Dis is one half.
 Press any key to continue ...
 Did you leave the room ?

The virus also contains the names of many anti-virus products:

SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE, MSAV

One_Half is a destructive virus. Every time an infected computer is booted, the virus encrypts the last two unencrypted cylinders on the hard disk. This way, the encrypted area slowly creeps toward the disk's beginning. When information is retrieved from the encrypted area, the virus decrypts it on the way, so the user doesn't notice anything out of the ordinary.

Do note that the stealth routines of the virus do not work correctly under Windows 95, and the encryption is directly visible.

The encrypted information stays encrypted while the virus is not resident, so the true nature of things is revealed only after the computer is booted from a diskette or after the virus is removed. If One_Half is removed from a hard disk's MBR without first making a backup copy of the computer's data, it is almost impossible to restore the encrypted information on the hard disk; the virus stores both the encryption key and information about the location and extent of the encrypted area inside its own code in the MBR.

There are at least two more variants, 3577 and 3518 bytes in size.

copy any important files to a floppy disk or tape before with the virus resident before removing the virus. The virus and the encryption can be removed with a SAC utility which is available at: ftp://ftp.F-Secure.com/pub/misc/anti-vir/onehalf.zip