Onehalf
Onehalf
Type Multipartite virus
Creator
Date Discovered 1994.04
Place of Origin Košice, Slovakia
Source Language
Platform DOS
File Type(s) .com, .exe
Infection Length 3,544 bytes
Reported Costs

Onehalf is a multipartite polymorphic stealth virus.

Behavior

When executed from an infected file, Onehalf infects the hard disk master boot record. It becomes memory resident only after booting from an infected hard disk. The virus will infect .com and .exe files on floppy drives and possibly on network drives. The virus appends its 3,544 bytes to the files when they are run, opened, or copied. It avoids infecting files with SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE, MSAV or CHKDSK in their names.

Every time the infected system is booted, Onehalf will encrypt the last two unencrypted sectors of the hard disk. It will eventually encrypt the whole hard disk if not removed. THe user will not notice anything out of the ordinary, since it will decrypt information when it is read. If the virus is not in memory, the encrypted information will be lost.

On the on 4th, 8th, 10th, 14th, 18th, 20th, 24th, 28th and 30th of any month, and under some other conditions, it displays the message:

  Dis is one half.
  Press any key to continue...

It also contains the text string: "Did you leave the room ?".

Onehalf has stealth capabilities for its master boot record infecting component. When a program tries to access the master boot record, the virus will show the program the clean version. It will also hide the increase in file size on infected files.

The virus stealth routines do not work on any version of Windows from 95 on.

Variants

The Onehalf virus had over 20 functionally similar variants, ranging from 3,434 bytes to 3,696 bytes long.

Origin and Effects

The origin of the virus is uncertain. Some of the other names suggest it originated in Slovakia, while there are reports of it having originated in Austria. There seems to be more evidence showing it comes from Slovakia, one of its names even points to the town of Košice as its origin. It is likely that it was prevalent in both countries. It became prevalent in Europe and made it to the United States.

Name

Its name comes from the text that is displayed under certain conditions. IT has also gone by the name Explosion II and Slovak Bomber.

Other Facts

The Word 97 Macro Asder also known as Rash drops this virus on computers it infects. It drops it in a file named COMMàND.COM, and modifies AUTOEXEC.BAT to execute this file the next time the system is booted.

Sources

Mikko Hypponen. F-Secure Antivirus, F-Secure Virus Descriptions : One_Half.

Kaspersky Lab. SecureList,Virus.DOS.OneHalf.3544.a.

Patricia Hoffman. Online VSUM, One Half Virus.

Ricardo O. Pineda Jr.. Trend Micro Antivirus, ONE_HALF.3544. 2007.03.06

Trend Micro Antivirus, W97M_ASDER.A. 2000.10.26

Bill Orvis. Computer Incident Advisory Capability, One_half Virus. 1994.09.13

Jiří Zacpal. Katalog Virus

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License