%%File: VIRS0601.TXT %%Name/Aliases: One_half, one half, Freelove, Slovak Bomber, Explosion- II %%Platform: PC/MS-DOS %%Type: Multipartite., %%Disk Location: Hard disk partition table., EXE application., COM application. %%Features: Memory resident; TSR., Encrypted, Stealth, Polymorphic %%Damage: Encrypts the HD, Trashes the hard disk. %%Size: Polymorphic: each infection different, 3544 bytes long %%See Also: Commander_Bomber %%Notes: We have determined that the virus is highly infectious, and it is multiply encrypted. It infects .COM, and .EXE files, and the master boot record, and it probably infects other executable files as well. It is a stealth virus, which actively hides its infection in the boot sector. It may also hide its infections on files. It appears to only infect .EXE and .COM files that reside on networked drives. When activated by running an infected program, the virus modifies the master boot record on the hard disk so that it runs the virus code, which is placed in the last seven sectors of the first track on the hard disk. The eighth sector from the end of the track contains a copy of the original master boot record. The last sector of the first track contains the following clear text at the end: Did you leave the room ? The virus uses stealth to hide the boot infection. According to VB of October 1994, the virus has two trigger routines. The first trigger routine is complex and attempts to executing this routine fails. Calling this complex routine leads to the encryption of DOS partitions of the hard disk. When the virus is removed the disk partitions are removed and the hard disk is trashed. The second trigger routine is called when the virus is installed in system memory. This routine test the system timer value against its own generation count routine. When these condition are to its liking then the following message is displayed: Dis is one half. Press any key to continue ..... and waits for response from the user. This routine is one that has the text string " Did you leave the room? ". The virus has an error in it that causes damage to large capacity hard disks. The virus appears to make some assumptions about the file system, which causes it to write things to the wrong place if you have a larger disk with a lot of logical read/write heads. Many of the new, larger disk drives map the true number of heads and cylinders on a disk to a larger number of logical heads and fewer logical cylinders to get around some DOS limitations on the number of cylinders allowed on a disk. It appears that disks with 32 or more heads may be at risk. The virus encrypts two cylinders of your hard drive starting with the highest numbered cylinders, every time your machine is booted, and then masks that encryption by decrypting any file accesses to that area. If the virus is not in memory, you will see encrypted data there. If you remove the virus from the disk, the encryption key is lost and the cylinders can not be disinfected. Any important files must be copied out of those cylinders before removing the virus. The program chk_half.zip is available from DDI to find and remove this virus. DataPhysician Plus 4.0E should detect and remove it. DOE Virstop can decrypt the cylinders. Norton has a special copy of NAV that can decrypt the sectors. Note: The virus code is at a constant off-set from the file end. Therefore, the scanner can detect the virus by checking the end file not the header. =====