OneHalf

OneHalf
Common name	OneHalf
Technical name	OneHalf
Aliases	Slovak Bomber
Family	OneHalf
Classification	Virus
Type	DOS
Subtype	file and boot infector
Isolation	1994
Point of isolation	Unknown
Point of origin	Slovakia

Last updated October 30, 2022

OneHalf is a DOS-based polymorphic computer virus (hybrid boot and file infector) discovered in October 1994.^[1] It is also known as Slovak Bomber, Freelove or Explosion-II.^[2] It infects the master boot record (MBR) of the hard disk, and any files with extensions .COM, .SCR and .EXE.^[3] However, it will not infect files that have SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE, MSAV or CHKDSK in the name.^[4]

Payload

OneHalf is known for its peculiar payload: at every boot, it encrypts two unencrypted cylinders of the user's Hard disk, but then temporarily decrypts them when they are accessed. This makes sure the user does not notice that their hard disk is being encrypted like this, and lets the encryption continue further. It also hides the real MBR from programs on the computer, to make detection harder. The encryption is done by bitwise XORing by a randomly generated key, which can be decrypted simply by XORing with the same bit stream again. Once the virus has encrypted half of the disk, and/or on the 4th, 8th, 10th, 14th, 18th, 20th, 24th, 28th and 30th of any month and under some other conditions, the virus will display the message:^[4]

Dis is one half.
Press any key to continue ...^[6]

Removal

OneHalf's unique payload makes removal harder: simply removing the virus and cleaning the MBR will leave the data encrypted, requiring backups to restore it. As such, special tools are needed to decrypt the hard disk before removing the virus. One such tool was developed for SAC (Slovak Antivirus Center) to do this job.^[2]^[7]

Related Research Articles

<span class="mw-page-title-main">Malware</span> Malicious software

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. By contrast, software that causes harm due to some deficiency is typically described as a software bug. Malware poses serious problems to individuals and businesses on the Internet. According to Symantec's 2018 Internet Security Threat Report (ISTR), malware variants number has increased to 669,947,865 in 2017, which is twice as many malware variants as in 2016. Cybercrime, which includes malware attacks as well as other crimes committed by computer, was predicted to cost the world economy $6 trillion USD in 2021, and is increasing at a rate of 15% per year.

A boot sector is the sector of a persistent data storage device which contains machine code to be loaded into random-access memory (RAM) and then executed by a computer system's built-in firmware.

<span class="mw-page-title-main">Rootkit</span> Software designed to enable access to unauthorized locations in a computer

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

<span class="mw-page-title-main">CIH (computer virus)</span> Windows 9x computer virus

CIH, also known as Chernobyl or Spacefiller, is a Microsoft Windows 9x computer virus that first emerged in 1998. Its payload is highly destructive to vulnerable systems, overwriting critical information on infected system drives and, in some cases, destroying the system BIOS. Chen Ing-hau, a student at Tatung University in Taiwan, created the virus. It was believed to have infected sixty million computers internationally, resulting in an estimated US$1 billion in commercial damages.

FileVault is a disk encryption program in Mac OS X 10.3 (2003) and later. It performs on-the-fly encryption with volumes on Mac computers.

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

TrueCrypt is a discontinued source-available freeware utility used for on-the-fly encryption (OTFE). It can create a virtual encrypted disk within a file, or encrypt a partition or the whole storage device.

In cryptography and steganography, plausibly deniable encryption describes encryption techniques where the existence of an encrypted file or message is deniable in the sense that an adversary cannot prove that the plaintext data exists.

Disk encryption software is computer security software that protects the confidentiality of data stored on computer media by using disk encryption.

<span class="mw-page-title-main">Ransomware</span> Malicious software used in ransom demands

Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Encryption software is software that uses cryptography to prevent unauthorized access to digital information. Cryptography is used to protect digital information on computers as well as the digital information that is sent to other computers over the Internet.

Jerusalem is a logic bomb DOS virus first detected at Hebrew University of Jerusalem, in October 1987. On infection, the Jerusalem virus becomes memory resident, and then infects every executable file run, except for COMMAND.COM. COM files grow by 1,813 bytes when infected by Jerusalem and are not re-infected. Executable files grow by 1,808 to 1,823 bytes each time they are infected, and are then re-infected each time the files are loaded until they are too large to load into memory. Some .EXE files are infected but do not grow because several overlays follow the genuine .EXE file in the same file. Sometimes .EXE files are incorrectly infected, causing the program to fail to run as soon as it is executed.

BitLocker is a full volume encryption feature included with Microsoft Windows versions starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes. By default, it uses the AES encryption algorithm in cipher block chaining (CBC) or XTS mode with a 128-bit or 256-bit key. CBC is not used over the whole disk; it is applied to each individual sector.

Disk encryption is a technology which protects information by converting it into unreadable code that cannot be deciphered easily by unauthorized people. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. It is used to prevent unauthorized access to data storage.

This is a technical feature comparison of different disk encryption software.

Hardware-based full disk encryption (FDE) is available from many hard disk drive (HDD/SSD) vendors, including: ClevX, Hitachi, Integral Memory, iStorage Limited, Micron, Seagate Technology, Samsung, Toshiba, Viasat UK, Western Digital. The symmetric encryption key is maintained independently from the computer's CPU, thus allowing the complete data store to be encrypted and removing computer memory as a potential attack vector.

<span class="mw-page-title-main">Computer virus</span> Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

<span class="mw-page-title-main">CryptoLocker</span> Malware

The CryptoLocker ransomware attack was a cyberattack using the CryptoLocker ransomware that occurred from 5 September 2013 to late May 2014. The attack utilized a trojan that targeted computers running Microsoft Windows, and was believed to have first been posted to the Internet on 5 September 2013. It propagated via infected email attachments, and via an existing Gameover ZeuS botnet. When activated, the malware encrypted certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displayed a message which offered to decrypt the data if a payment was made by a stated deadline, and it threatened to delete the private key if the deadline passes. If the deadline was not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in bitcoin. There was no guarantee that payment would release the encrypted content.

Rombertik is spyware designed to steal confidential information from targets using Internet Explorer, Firefox, or Chrome running on Windows computers. It was first publicized by researchers at Cisco Talos Security and Intelligence Group.

<span class="mw-page-title-main">Rensenware</span> Ransomware

Rensenware is a ransomware that infects Windows computers. This ransomware was created as a joke by the Korean programmer Kangjun Heo (허강준). The ransomware was discovered on April 6, 2017. Rensenware is unusual as an example of ransomware in that it does not request the user pay the creator of the virus to decrypt their files, instead requiring the user to achieve a required number of points in the 2009 bullet hell video game Touhou Seirensen ~ Undefined Fantastic Object before any decryption can take place. The main window displays Minamitsu Murasa, a character from the game.

References

↑ "One Half Virus". VSUM. Retrieved 13 February 2013.
1 2 "One_Half Description - F-Secure Labs". www.f-secure.com.
↑ "One-half virus". Proland Software. Retrieved 13 February 2013.
1 2 "Onehalf - The Virus Encyclopedia". virus.wikidot.com.
↑ "One Half". ESET. Retrieved 13 February 2013.
↑ "One_Half". Symantec. Archived from the original on 30 October 2015. Retrieved 13 February 2013.
↑ "YouTube: danooct1: Virus.DOS.Onehalf Followup/Removal Attempt". danooct1. 25 September 2013. Retrieved 14 December 2014.

External links

One_Half: The Lieutenant Commander

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "One Half Virus". VSUM. Retrieved 13 February 2013.

[:0-2] 1 2 "One_Half Description - F-Secure Labs". www.f-secure.com.

[3] "One-half virus". Proland Software. Retrieved 13 February 2013.

[wikidot-4] 1 2 "Onehalf - The Virus Encyclopedia". virus.wikidot.com.

[5] "One Half". ESET. Retrieved 13 February 2013.

[6] "One_Half". Symantec. Archived from the original on 30 October 2015. Retrieved 13 February 2013.

[7] "YouTube: danooct1: Virus.DOS.Onehalf Followup/Removal Attempt". danooct1. 25 September 2013. Retrieved 14 December 2014.

[1]

[2]

[3]

[4]

[5]

[6]

[7]