McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Explosion-II

• Freelove

• OneHalf.3544

• Slovak Bomber

Characteristics

One Half is a multi-partite, memory resident encrypting virus. One Half specifically targets .COM and .EXE files, the boot sector on floppy diskettes and the Master Boot Record (MBR) (the sector which contains the partition table).

When the first One Half infected file is accessed, the One Half virus will infect the system hard disk's MBR. It does not become memory resident until the system is rebooted from the system hard disk.

When the system is booted from the infected system hard disk, the One Half virus will become memory resident at the top of system memory, but below the 640K DOS boundary. Interrupt 12's return is not moved. Interrupt 21 will be hooked by the virus in memory.

Once memory resident, One Half infects .COM and .EXE files, including COMMAND.COM, when they are accessed. The file's date and time in the DOS disk directory listing will not be altered.

The One Half virus also employs stealth techniques. When the MBR of an infected hard disk is examined, the virus displays the original contents of the MBR. The "encrypted" information stays "encrypted" while the virus is not resident in memory, so the true nature of the system's MBR is not revealed until the virus is removed.

Because of the changes One Half makes on the machine, the original boot sector may be altered and the partition table may be damaged.

One Half is also destructive. With each boot, it slowly corrupts the hard disk two cylinders at a time starting with the end of the first disk partition. When one half of the drive has been corrupted by the above procedure, the following messages are displayed:

"Dis is one half."
"Press any key to continue..."

Additional Comments:
The One Half, or One Half.3544, virus was isolated in October, 1994, in Austria. It has been reported to be "in the wild". One Half is a memory resident multipartite stealth virus which infects the system hard disk's master boot record (the sector containing the partition table), as well as .COM and .EXE files, including COMMAND.COM. When the first One Half infected program is executed, the One Half virus will infect the system hard disk's master boot record. It does not become memory resident until the system is rebooted from the system hard disk. When the system is booted from the infected system hard disk, the One Half virus will become memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 4,096 bytes. Interrupt 21 will be hooked by the virus in memory. Once memory resident, this virus will infect .COM and .EXE programs, including COMMAND.COM, when they are executed, opened, or copied. Infected programs will have a file length increase of 3,544 bytes, though the file length increase will not be visible when the virus is memory resident. The virus will be located at the end of all infected files. The program's date and time in the DOS disk directory listing will not be altered. The following text strings are encrypted within the viral code: "COMMAND" "valid driv" "Dis is one half." "Press any key to continue ..." ".COM .EXE SCAN CLEAN" "FINDVIRU GUARD NOD VSAFE MSAV CHKDSKRSQVW" "Did you leave the rom ?" "Invalid Partition Table" "Error Loading Operating System" "Missing Operating System" It is unknown what One Half does besides replicate. Known variant(s) of One Half are:

Symptoms

This virus will cause .COM and .EXE files to increase in length by 3,544 to 1,042 bytes, with the virus inserted at the end of the file. This increase in the file length is not visible when the virus is memory resident. CHKDSK also reports a decrease of 4,096 of total system and available free memory. This decrease may cause memory conflicts.

One Half contains the following encrypted messages:

"COMMAND"
"valid driv"
"Dis is one half"
"Press any key to continue..."
".COM .EXE SCAN CLEAN"
"FINDVIRU GUARD NOD VSAFE MSAV CHKDSKRSQVW"
"Did you leave the rom ?"
"invalid Partition Table"
"Error Loading Operating System"
"Missing Operating System"

Method of Infection

Multi-partite viruses have two main routes of infection; either as a Master Boot Record/Boot Sector Virus or as a File Infecting Virus.

Most infections occur when a computer attempts to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred.

Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

The second route of infection is by receiving an infected file through a multitude of sources including: floppy diskettes, downloads through an online service, network, modem connections, etc. Once the infected file is executed, the virus may activate.

Removal

-

Variants

Variants

• OneHalf.3577
• One Half.3570

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Explosion-II

• Freelove

• OneHalf.3544

• Slovak Bomber

Characteristics

Characteristics -

One Half is a multi-partite, memory resident encrypting virus. One Half specifically targets .COM and .EXE files, the boot sector on floppy diskettes and the Master Boot Record (MBR) (the sector which contains the partition table).

When the first One Half infected file is accessed, the One Half virus will infect the system hard disk's MBR. It does not become memory resident until the system is rebooted from the system hard disk.

When the system is booted from the infected system hard disk, the One Half virus will become memory resident at the top of system memory, but below the 640K DOS boundary. Interrupt 12's return is not moved. Interrupt 21 will be hooked by the virus in memory.

Once memory resident, One Half infects .COM and .EXE files, including COMMAND.COM, when they are accessed. The file's date and time in the DOS disk directory listing will not be altered.

The One Half virus also employs stealth techniques. When the MBR of an infected hard disk is examined, the virus displays the original contents of the MBR. The "encrypted" information stays "encrypted" while the virus is not resident in memory, so the true nature of the system's MBR is not revealed until the virus is removed.

Because of the changes One Half makes on the machine, the original boot sector may be altered and the partition table may be damaged.

One Half is also destructive. With each boot, it slowly corrupts the hard disk two cylinders at a time starting with the end of the first disk partition. When one half of the drive has been corrupted by the above procedure, the following messages are displayed:

"Dis is one half."
"Press any key to continue..."

Additional Comments:
The One Half, or One Half.3544, virus was isolated in October, 1994, in Austria. It has been reported to be "in the wild". One Half is a memory resident multipartite stealth virus which infects the system hard disk's master boot record (the sector containing the partition table), as well as .COM and .EXE files, including COMMAND.COM. When the first One Half infected program is executed, the One Half virus will infect the system hard disk's master boot record. It does not become memory resident until the system is rebooted from the system hard disk. When the system is booted from the infected system hard disk, the One Half virus will become memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 4,096 bytes. Interrupt 21 will be hooked by the virus in memory. Once memory resident, this virus will infect .COM and .EXE programs, including COMMAND.COM, when they are executed, opened, or copied. Infected programs will have a file length increase of 3,544 bytes, though the file length increase will not be visible when the virus is memory resident. The virus will be located at the end of all infected files. The program's date and time in the DOS disk directory listing will not be altered. The following text strings are encrypted within the viral code: "COMMAND" "valid driv" "Dis is one half." "Press any key to continue ..." ".COM .EXE SCAN CLEAN" "FINDVIRU GUARD NOD VSAFE MSAV CHKDSKRSQVW" "Did you leave the rom ?" "Invalid Partition Table" "Error Loading Operating System" "Missing Operating System" It is unknown what One Half does besides replicate. Known variant(s) of One Half are:

Symptoms

Symptoms -

This virus will cause .COM and .EXE files to increase in length by 3,544 to 1,042 bytes, with the virus inserted at the end of the file. This increase in the file length is not visible when the virus is memory resident. CHKDSK also reports a decrease of 4,096 of total system and available free memory. This decrease may cause memory conflicts.

One Half contains the following encrypted messages:

"COMMAND"
"valid driv"
"Dis is one half"
"Press any key to continue..."
".COM .EXE SCAN CLEAN"
"FINDVIRU GUARD NOD VSAFE MSAV CHKDSKRSQVW"
"Did you leave the rom ?"
"invalid Partition Table"
"Error Loading Operating System"
"Missing Operating System"

Method of Infection

Method of Infection -

Multi-partite viruses have two main routes of infection; either as a Master Boot Record/Boot Sector Virus or as a File Infecting Virus.

Most infections occur when a computer attempts to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred.

Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

The second route of infection is by receiving an infected file through a multitude of sources including: floppy diskettes, downloads through an online service, network, modem connections, etc. Once the infected file is executed, the virus may activate.

Removal -

Removal -

-

Variants

Variants -

• OneHalf.3577
• One Half.3570