F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : One_Half





NAME:One_Half
ALIAS:Onehalf, Slovak Bomber, Explosion-II, Freelove
SIZE:3544
TYPE:Stealth MBR COM/EXE-files

One_Half, which is also known as Slovak Bomber, Freelove or Explosion-II, was first discovered in May 1994. The virus has been found both in USA and Europe. One_Half is a destructive virus: its removal may cause files to be damaged.

One_Half is a multipartite virus. It infects hard disk MBRs and COM and EXE files. Infected files grow by 3544 bytes. The virus is also polymorphic, so its appearance changes between every infection. One_Half attempts to infect COM and EXE files only on floppy (and possibly network) drives.

Besides the aforementioned features, One_Half employs stealth virus techniques. When the MBR of an infected hard disk is examined, the virus shows the original contents of the MBR. It makes the other sectors on the zero track seem empty, although in truth they contain a part of the virus code and the original MBR.

The following, unencrypted texts can be found inside the viruse's code: 

        Dis is one half.
        Press any key to continue ...
        Did you leave the room ?

The virus also contains the names of many anti-virus products: 

        SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE, MSAV

One_Half is a destructive virus. Every time an infected computer is booted, the virus encrypts the last two unencrypted cylinders on the hard disk. This way, the encrypted area slowly creeps toward the disk's beginning. When information is retrieved from the encrypted area, the virus decrypts it on the way, so the user doesn't notice anything out of the ordinary.

Do note that the stealth routines of the virus do not work correctly under Windows 95, and the encryption is directly visible.

The encrypted information stays encrypted while the virus is not resident, so the true nature of things is revealed only after the computer is booted from a diskette or after the virus is removed. If One_Half is removed from a hard disk's MBR without first making a backup copy of the computer's data, it is almost impossible to restore the encrypted information on the hard disk; the virus stores both the encryption key and information about the location and extent of the encrypted area inside its own code in the MBR.

There are at least two more variants, 3577 and 3518 bytes in size.

copy any important files to a floppy disk or tape before with the virus resident before removing the virus. The virus and the encryption can be removed with a SAC utility which is available at: ftp://ftp.F-Secure.com/pub/misc/anti-vir/onehalf.zip

[Analysis: Mikko Hypponen, F-Secure]