Selected viruses, spyware, and other threats: sorted alphabetically
One_Half.3544.A, One_Half.3544.B, One_Half.3544.C
One_Half is known also under aliases Slovak Bomber, Explosion II and FreeLove. It is a resident, multi-partite COM, EXE infector which increases length of infected files on exchangeable media by 3544 bytes. When an infected program is executed the virus will infect the hard disk´s MBR. It will overwrite a part of MBR and locate itself in the last 7 sectors of zero track. The virus will save the original contents of master boot into the 8th sector from the end on zero track (max. sectors -7). It will search for the last active “DOS Partition Table” and “Extended Partition” respectively, and it will calculate number of the first and of the last cylinder of this partition. Then it will save the cylinder in MBR at offset 29h. Everytime the computer is booted the virus will subtract 2 from that value and it will encrypt the 2 cylinders pointed at by this pointer. As a result disk will be encrypted gradually. The virus employs stealth techniques, if it is active in memory, no changes on the disk nor increase in files length can be seen. The virus infects only files on exchangeable media (diskettes, network disks etc.). As the virus does not reproduce itself in hard disk files it minimizes the risk of being detected. In memory it reserves 4 Kb under RAMTOP. The most interesting thing on this virus is the way in what it infects files: decoding routine (decryptor) is devided into ten sections that are randomly scattered within the victim code.They are interlinked by two types of jumps and fulfilled by various onebyte instructions randomly chosen from a set of ten. The aim of this construction is to disable the possibility of detecting the virus by a sample. Partially similar technology was first used in the virus Commander Bomber (author Dark Avenger). The virus is dangerous especially because it gradually encrypts tracks on the disk, starting from the end. After encrypting one half of the disk, depending on date and generation, the following text will be displayed:
Dis is one half. Press any key to continue...
Furthermore, the virus contains encrypred string:
Did you leave the room ?
This indicates that it has the same author as the virus Explosion . The third member of this line of development is the virus EMM:Level_3 .
This variant originated probably in Russia on bases of the variant One_Half.3544 and is modified mainly in two areas. The first one is the decryptor – it was changed so as not to be detected by means of older versions of anti-virus programs. The second area is adjustment of the virus to local conditions. One_Half.3570 was modified so as to avoid programs AIDSTEST and WEB. The first program is one of the most renowned and oldest scanners in Russia, the second one is a heuristic scanner. The length was changed to 3570 bytes.
© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.