Threat Description

One_Half

Details

Aliases:One_Half, Onehalf, Slovak Bomber, Explosion-II, Freelove
Category: Malware
Type:
Platform: W32

Summary



One_Half, which is also known as Slovak Bomber, Freelove or Explosion-II, was first discovered in May 1994. The virus has been found both in USA and Europe. One_Half is a destructive virus: its removal may cause files to be damaged.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



One_Half is a multipartite virus. It infects hard disk MBRs and COM and EXE files. Infected files grow by 3544 bytes. The virus is also polymorphic, so its appearance changes between every infection. One_Half attempts to infect COM and EXE files only on floppy (and possibly network) drives.

Besides the aforementioned features, One_Half employs stealth virus techniques. When the MBR of an infected hard disk is examined, the virus shows the original contents of the MBR. It makes the other sectors on the zero track seem empty, although in truth they contain a part of the virus code and the original MBR.

The following, unencrypted texts can be found inside the viruse's code:

Dis is one half.
  Press any key to continue ...
  Did you leave the room ?

The virus also contains the names of many anti-virus products:

SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE, MSAV

One_Half is a destructive virus. Every time an infected computer is booted, the virus encrypts the last two unencrypted cylinders on the hard disk. This way, the encrypted area slowly creeps toward the disk's beginning. When information is retrieved from the encrypted area, the virus decrypts it on the way, so the user doesn't notice anything out of the ordinary.

Do note that the stealth routines of the virus do not work correctly under Windows 95, and the encryption is directly visible.

The encrypted information stays encrypted while the virus is not resident, so the true nature of things is revealed only after the computer is booted from a diskette or after the virus is removed. If One_Half is removed from a hard disk's MBR without first making a backup copy of the computer's data, it is almost impossible to restore the encrypted information on the hard disk; the virus stores both the encryption key and information about the location and extent of the encrypted area inside its own code in the MBR.

There are at least two more variants, 3577 and 3518 bytes in size.

copy any important files to a floppy disk or tape before with the virus resident before removing the virus. The virus and the encryption can be removed with a SAC utility which is available at:ftp://ftp.F-Secure.com/pub/misc/anti-vir/onehalf.zip





Description Created: Mikko Hypponen, F-Secure


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More