OneHalf

Last updated
OneHalf
Technical nameOneHalf
AliasSlovak Bomber
Type DOS
Subtypefile and boot infector
Classification Virus
FamilyOneHalf
Origin Slovakia

OneHalf is a DOS-based polymorphic computer virus (hybrid boot and file infector) discovered in October 1994. [1] It is also known as Slovak Bomber, Freelove or Explosion-II. [2] It infects the master boot record (MBR) of the hard disk, and any files with extensions .COM, .SCR and .EXE. [3] However, it will not infect files that have SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE, MSAV or CHKDSK in the name. [4]

Contents

It is also known as one of the first viruses to implement a technique of "patchy infection", introduced in Bomber.

OneHalf has about 20 different variants, all with functionally similar behaviour. [5]

Payload

OneHalf is known for its peculiar payload: at every boot, it encrypts two unencrypted cylinders of the user's hard disk, but then temporarily decrypts them when they are accessed. This makes sure the user does not notice that their hard disk is being encrypted like this, and lets the encryption continue further. It also hides the real MBR from programs on the computer, to make detection harder. The encryption is done by bitwise XORing by a randomly generated key, which can be decrypted simply by XORing with the same bit stream again. Once the virus has encrypted half of the disk, and/or on the 4th, 8th, 10th, 14th, 18th, 20th, 24th, 28th and 30th of any month and under some other conditions, the virus will display the message: [4]

Dis is one half.

Press any key to continue ... [6]

Removal

OneHalf's unique payload makes removal harder: simply removing the virus and cleaning the MBR will leave the data encrypted, requiring backups to restore it. As such, special tools are needed to decrypt the hard disk before removing the virus. One such tool was developed for SAC (Slovak Antivirus Center) to do this job. [2] [7]

Related Research Articles

<span class="mw-page-title-main">Boot sector</span> Sector of a persistent data storage device

A boot sector is the sector of a persistent data storage device which contains machine code to be loaded into random-access memory (RAM) and then executed by a computer system's built-in firmware.

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

<span class="mw-page-title-main">CIH (computer virus)</span> Windows 9x computer virus

CIH, also known as Chernobyl or Spacefiller, is a Microsoft Windows 9x computer virus that first emerged in 1998. Its payload is highly destructive to vulnerable systems, overwriting critical information on infected system drives and, in some cases, destroying the system BIOS. The virus was created by Chen Ing-hau, a student at Tatung University in Taiwan. It was believed to have infected sixty million computers internationally, resulting in an estimated NT$1 billion (US$35,801,231.56) in commercial damages.

FileVault is a disk encryption program in Mac OS X 10.3 Panther (2003) and later. It performs on-the-fly encryption with volumes on Mac computers.

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

<span class="mw-page-title-main">TrueCrypt</span> Discontinued source-available disk encryption utility

TrueCrypt is a discontinued source-available freeware utility used for on-the-fly encryption (OTFE). It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the whole storage device.

Disk encryption software is a computer security software that protects the confidentiality of data stored on computer media by using disk encryption.

Ransomware is a type of malware that permanently blocks access to the victim's personal data unless a "ransom" is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Encryption software is software that uses cryptography to prevent unauthorized access to digital information. Cryptography is used to protect digital information on computers as well as the digital information that is sent to other computers over the Internet.

Jerusalem is a logic bomb DOS virus first detected at Hebrew University of Jerusalem, in October 1987. On infection, the Jerusalem virus becomes memory resident, and then infects every executable file run, except for COMMAND.COM. COM files grow by 1,813 bytes when infected by Jerusalem and are not re-infected. Executable files grow by 1,808 to 1,823 bytes each time they are infected, and are then re-infected each time the files are loaded until they are too large to load into memory. Some .EXE files are infected but do not grow because several overlays follow the genuine .EXE file in the same file. Sometimes .EXE files are incorrectly infected, causing the program to fail to run as soon as it is executed.

<span class="mw-page-title-main">BitLocker</span> Disk encryption software for Microsoft Windows

BitLocker is a full volume encryption feature included with Microsoft Windows versions starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes. By default, it uses the Advanced Encryption Standard (AES) algorithm in cipher block chaining (CBC) or "xor–encrypt–xor (XEX)-based Tweaked codebook mode with ciphertext Stealing" (XTS) mode with a 128-bit or 256-bit key. CBC is not used over the whole disk; it is applied to each individual sector.

<span class="mw-page-title-main">Stoned (computer virus)</span> Computer virus

Stoned is a boot sector computer virus created in 1987. It is one of the first viruses and is thought to have been written by a student in Wellington, New Zealand. By 1989 it had spread widely in New Zealand and Australia, and variants became very common worldwide in the early 1990s.

The Linux Unified Key Setup (LUKS) is a disk encryption specification created by Clemens Fruhwirth in 2004 and originally intended for Linux.

Disk encryption is a technology which protects information by converting it into code that cannot be deciphered easily by unauthorized people or processes. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. It is used to prevent unauthorized access to data storage.

Anti–computer forensics or counter-forensics are techniques used to obstruct forensic analysis.

This is a technical feature comparison of different disk encryption software.

Hardware-based full disk encryption (FDE) is available from many hard disk drive (HDD/SSD) vendors, including: Hitachi, Integral Memory, iStorage Limited, Micron, Seagate Technology, Samsung, Toshiba, Viasat UK, Western Digital. The symmetric encryption key is maintained independently from the computer's CPU, thus allowing the complete data store to be encrypted and removing computer memory as a potential attack vector.

<span class="mw-page-title-main">Computer virus</span> Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of malware that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

The CryptoLocker ransomware attack was a cyberattack using the CryptoLocker ransomware that occurred from 5 September 2013 to late May 2014. The attack utilized a trojan that targeted computers running on Microsoft Windows, and was believed to have first been posted to the Internet on 5 September 2013. It propagated via infected email attachments, and via an existing Gameover ZeuS botnet. When activated, the malware encrypted certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displayed a message which offered to decrypt the data if a payment was made by a stated deadline, and it threatened to delete the private key if the deadline passes. If the deadline was not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in bitcoin. There was no guarantee that payment would release the encrypted content.

Rombertik is spyware designed to steal confidential information from targets using Internet Explorer, Firefox, or Chrome running on Windows computers. It was first publicized by researchers at Cisco Talos Security and Intelligence Group.

References

  1. "One Half Virus". VSUM. Retrieved 13 February 2013.
  2. 1 2 "One_Half Description - F-Secure Labs". www.f-secure.com.
  3. "One-half virus". Proland Software. Retrieved 13 February 2013.
  4. 1 2 "Onehalf - The Virus Encyclopedia". virus.wikidot.com.
  5. "One Half". ESET. Retrieved 13 February 2013.
  6. "One_Half". Symantec. Archived from the original on 30 October 2015. Retrieved 13 February 2013.
  7. "YouTube: danooct1: Virus.DOS.Onehalf Followup/Removal Attempt". danooct1. 25 September 2013. Retrieved 14 December 2014.