One_Half is a multipartite virus. It infects hard disk MBRs
and COM and EXE files. Infected files grow by 3544 bytes.
The virus is also polymorphic, so its appearance changes
between every infection. One_Half attempts to infect COM and
EXE files only on floppy (and possibly network) drives.
Besides the aforementioned features, One_Half employs
stealth virus techniques. When the MBR of an infected hard
disk is examined, the virus shows the original contents of
the MBR. It makes the other sectors on the zero track seem
empty, although in truth they contain a part of the virus
code and the original MBR.
The following, unencrypted texts can be found inside the
Dis is one half.
Press any key to continue ...
Did you leave the room ?
The virus also contains the names of many anti-virus
SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE, MSAV
One_Half is a destructive virus. Every time an infected
computer is booted, the virus encrypts the last two
unencrypted cylinders on the hard disk. This way,
the encrypted area slowly creeps toward the disk's
beginning. When information is retrieved from the encrypted
area, the virus decrypts it on the way, so the user doesn't
notice anything out of the ordinary.
Do note that the stealth routines of the virus do not work correctly
under Windows 95, and the encryption is directly visible.
The encrypted information stays encrypted while the virus is
not resident, so the true nature of things is revealed only
after the computer is booted from a diskette or after the
virus is removed. If One_Half is removed from a hard disk's
MBR without first making a backup copy of the computer's
data, it is almost impossible to restore the encrypted
information on the hard disk; the virus stores both the
encryption key and information about the location and extent
of the encrypted area inside its own code in the MBR.
There are at least two more variants, 3577 and 3518 bytes in size.
copy any important files to a floppy disk or tape before with the
virus resident before removing the virus. The virus and the encryption
can be removed with a SAC utility which is available at:
[Analysis: Mikko Hypponen, F-Secure]