The One Half family of viruses are an older family, the first of which appeared in 1995. One Half was designed to operate under DOS and Windows 3.1, but it can still cause Windows 9x to become rather cranky. It is a multipartite virus that infects the master boot record of a hard drive and infects COM and EXE files that are executed while it resides in the memory, increasing their length by 3518, 3544, or 3577 bytes. It will, however, avoid files with the following in their names: FINDVIRU, GUARD, NOD, VSAFE, MSAV, CHKDSK, SCAN, and CLEAN. One Half's real payload, however, is that it slowly encrypts the hard drive. On each cold boot two more sectors are encrypted with randomly generated keys stored in the partition table. As long as One Half is in memory, the encrypted data will be decryped on the fly. If you remove One Half without decrypting the data first, all encrypted data will be lost.
If the following conditions are met:
- It is the 4th, 8th, 10th, 14th, 18th, 20th, 24th, 28th, or 30th of the month
- The generation of the virus is even
- At least one half of the sectors of the hard disk have been encrypted
then One Half will display the following message:
Dis is one half.
Press any key to continue...
One Half also contains the following text, which is not displayed:
Did you leave the room ?
User is loh !
One Half does appear to do anything else but encrypt data and replicate
itself. There are other versions of One Half, as well. "OneHalf.3518" will not encrypt itself, and instead of "Dis is one half" displays:
A20 Error !!!
Press any key to continue ...
"OneHalf3544.b" adds the following names to the files that will not be infected: AIDS, ADINF, DRWEB, ASD, and MSAV. In place of "Dis is one half" it displays the following text:
Dis is TWO HALF.
Fucks any key to Goping...
"OneHalf.3544.c" only replicates itself, it does not encrypt data. It will randomly display the following:
Disk is Tpu half.
(Bepx, Hu3 u Pe6po)
Finally, "OneHalf.Madjid" will not encrypt itself, but it will still encrypt other data. Instead of the standard message, it will display the following slightly creepy text:
Here is very dark.
HELP ME... HELP ME... HELP...
I am here .They kill the love .I am solitary .
Press RETURN for continue
As far as I can tell, nobody can find out who the enigmatic Madjid
is. One Half no longer poses a serious threat today, although it can make Windows behave oddly or possibly refuse to boot. McAfee
or Norton Antivirus
should wipe it out handily.