| Description:
|
Details
OneHalf family
These are dangerous memory resident polymorphic multipartite viruses. Being executed they infect the MBR of the hard drive. On loading from infected disk they hook INT 13h, 1Ch, 21h and write themselves to the end of COM and EXE files that are accessed. While infecting a file they check its name, and do not infect the files: SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE, MSAV, CHKDSK.
The virus' decryption routine is divided in several parts that are placed at random offsets in infected files (see "Bomber" virus).
While infecting the hard drive "OneHalf" checks the Partition Table, looks for the last DOS partition - DOS logical disk (FAT-12/FAT-16/BIGDOS), or extended partition, and calculates the first and last cylinders numbers of that disk/extended partition.
It saves the pointer to the last cylinder at the offset 29h in HD MBR. On each booting from HD the virus decreases that pointer with two, and encrypts two cylinders to where that pointer points. On first booting from HD the virus encrypts last two cylinders, on next booting - plus 2 from the end, and so on. So on working the "spot" at the end of the last logical disk/partition grows on 2 cylinders on each booting.
When that "spot" reaches the middle of the disk/partition, the virus may display (according to other conditions: on 4th, 8th, 10th, 14th, 18th, 20th, 24th, 28th and 30th of each month, and if the generation of the virus is even):
Dis is one half.
Press any key to continueall
After loading into the system memory the virus decrypts/encrypts these sectors "on-the-fly", and the corrupted sectors appears in their original form, but after disinfection all the encrypted data is lost.
"OneHalf.3518" does not use polymorphic engine to encrypt itself. It displays:
A20 Error !!!
Press any key to continue ...
"OneHalf.3544.b" does not infect the files: AIDS*.*, ADINF*.*, DRWEB*.*, ASD*.*, MSAV*.*. That virus displays:
Dis is TWO HALF.
Fucks any key to Goping...
"OneHalf.3544.c" does not encrypt the hard drive sectors, this virus displays:
Disk is Tpu half.
(Bepx, Hu3 u Pe6po)
The viruses also contain the strings:
"OneHalf.3544.a": Did you leave the room ?
"OneHalf.3544.b": User is loh !
"OneHalf.3577": DidYouLeaveTheRoom?
OneHalf.Madjid
This virus is not encrypted one, but it encrypts hard drive sectors as well as original "OneHalf". This virus displays the text:
OHHHHH... MADJID
Here is very dark.
HELP ME... HELP ME... HELP...
I am here .They kill the love .I am solitary .
Press RETURN for continue |
