OneHalf

OneHalf is a DOS-based polymorphic computer virus (hybrid boot and file infector) discovered in October 1994.[1] It is also known as Slovak Bomber, Freelove or Explosion-II.[2] It infects the master boot record (MBR) of the hard disk, and any files with extensions .COM, .SCR and .EXE.[3] However, it will not infect files that have SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE, MSAV or CHKDSK in the name.[4]

OneHalf
Common nameOneHalf
Technical nameOneHalf
AliasesSlovak Bomber
FamilyOneHalf
ClassificationVirus
TypeDOS
Subtypefile and boot infector
Isolation1994
Point of isolationUnknown
Point of originSlovakia

It is also known as one of the first viruses to implement a technique of "patchy infection", introduced in Bomber.

OneHalf has about 20 different variants, all with functionally similar behaviour.[5]

Payload

OneHalf is known for its peculiar payload: at every boot, it encrypts two unencrypted cylinders of the user's Hard disk, but then temporarily decrypts them when they are accessed. This makes sure the user does not notice that their hard disk is being encrypted like this, and lets the encryption continue further. It also hides the real MBR from programs on the computer, to make detection harder. The encryption is done by bitwise XORing by a randomly generated key, which can be decrypted simply by XORing with the same bit stream again. Once the virus has encrypted half of the disk, and/or on the 4th, 8th, 10th, 14th, 18th, 20th, 24th, 28th and 30th of any month and under some other conditions, the virus will display the message:[4]

Dis is one half.

....

Press any key to continue ...[6]

Removal

OneHalf's unique payload makes removal harder: simply removing the virus and cleaning the MBR will leave the data encrypted, requiring backups to restore it. As such, special tools are needed to decrypt the hard disk before removing the virus. One such tool was developed for SAC (Slovak Antivirus Center) to do this job.[2][7]

gollark: It's an entirely unimportant thing, potatOS just lets you do `func:address()` for some reason.
gollark: Hmm, `function`s `tostring` differently to in CCEmuX, that might break that one thing.
gollark: Maximum compatibility means maximum potatospread™!
gollark: I try and make potatOS compatible with both.
gollark: I shall TRY™ that NOW™.

References

  1. "One Half Virus". VSUM. Retrieved 13 February 2013.
  2. "One_Half Description - F-Secure Labs". www.f-secure.com.
  3. "One-half virus". Proland Software. Retrieved 13 February 2013.
  4. "Onehalf - The Virus Encyclopedia". virus.wikidot.com.
  5. "One Half". ESET. Retrieved 13 February 2013.
  6. "One_Half". Symantec. Retrieved 13 February 2013.
  7. "YouTube: danooct1: Virus.DOS.Onehalf Followup/Removal Attempt". danooct1. 25 September 2013. Retrieved 14 December 2014.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.