One Half Virus


 Virus Name:  One Half 
 Aliases:     One Half.3544 
 V Status:    Common 
 Discovered:  October, 1994 
 Symptoms:    .COM & .EXE growth; Master Boot Record (MBR) altered; 
              decrease in system and free memory 
 Origin:      Austria 
 Eff Length:  3,544 Bytes 
 Type Code:   PRhAKX - Parasitic Encrypted Resident .COM .EXE  MBR Infector 
 Detection Method:  AVTK, Sweep, NAV, F-Prot, ViruScan, IBMAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    AVTK/N, Sweep/N, NProt, NAV/N, Innoc, NShld, LProt, 
                    IBMAV/N 
 Removal Instructions:  Delete infected files & replace MBR 
 
 General Comments: 
       The One Half, or One Half.3544, virus was isolated in October, 1994, 
       in Austria.  It has been reported to be "in the wild".  One Half 
       is a memory resident multipartite stealth virus which infects the 
       system hard disk's master boot record (the sector containing the 
       partition table), as well as .COM and .EXE files, including 
       COMMAND.COM. 
 
       When the first One Half infected program is executed, the One Half 
       virus will infect the system hard disk's master boot record.  It does 
       not become memory resident until the system is rebooted from the 
       system hard disk. 
 
       When the system is booted from the infected system hard disk, the 
       One Half virus will become memory resident at the top of system memory 
       but below the 640K DOS boundary, not moving interrupt 12's return. 
       Total system and available free memory, as indicated by the DOS CHKDSK 
       program, will have decreased by 4,096 bytes.  Interrupt 21 will be 
       hooked by the virus in memory. 
 
       Once memory resident, this virus will infect .COM and .EXE programs, 
       including COMMAND.COM, when they are executed, opened, or copied. 
       Infected programs will have a file length increase of 3,544 bytes, 
       though the file length increase will not be visible when the virus 
       is memory resident.  The virus will be located at the end of all 
       infected files.  The program's date and time in the DOS disk directory 
       listing will not be altered.  The following text strings are encrypted 
       within the viral code: 
 
               "COMMAND" 
               "valid driv" 
               "Dis is one half." 
               "Press any key to continue ..." 
               ".COM .EXE SCAN CLEAN" 
               "FINDVIRU GUARD NOD VSAFE MSAV CHKDSKRSQVW" 
               "Did you leave the rom ?" 
               "Invalid Partition Table" 
               "Error Loading Operating System" 
               "Missing Operating System" 
 
       It is unknown what One Half does besides replicate. 
 
       Known variant(s) of One Half are: 
       One Half.3577: Received in January, 1995, One Half.3577 is a 
               3,577 byte variant of the One Half virus described above. 
               It contains the following encrypted text strings: 
               "Dis is one half." 
               "Press any key to continue ..." 
               ".COM .EXE SCAN CLEAN" 
               "FINDVIRU GUARD NOD VSAFE MSAV CHKDSKRSQVW" 
               "DidYouLeaveTheRoom?" 
               "Invalid partition table Error loading operating 
                system Missing operating system" 
               Origin:  Unknown  January, 1995.

Show viruses from discovered during that infect .

Main Page