FANDOM


OneHalf, also known as Slovak Bomber, Freelove and Explosion-II[1] is a DOS polymorphic boot virus.

Behavior

It infects the master boot record of the hard disk and executables. It ignores files with filenames that contain any of the following strings:

SCAN CLEAN FINDVIRU GUARD NOD VSAFE MSAV CHKDSK

After the installation of the virus, every time the user boots or reboots the computer, the virus loads and encrypts last 2 unencrypted cylinders. The encryption is done by bitwise XOR operation by a randomly generated key, which the decryption is to perform the same operation with same key again.

On access of these encrypted cylinders, the virus decrypts them, so that the user might not notice.

Payload

When the number of encrypted cylinders reaches the half of that in total and the system day is 4th, 8th, 10th, 14th, 18th, 20th, 24th, 28th and 30th in any month, the virus displays the message when the computer boots:

Dis is one half.
Press any key to continue ...

Other details

Careless disinfection will result in data loss. Since the virus holds the keys for accessing these encrypted cylinders, if the user removes the virus without decrypting them, then those data might not be recovered forever.

It is also known as one of the first viruses to implement a technique of "patchy infection", introduced in Bomber.

This virus may be detected and infected by another virus, SSR.

References

  1. http://www.f-secure.com/v-descs/one_half.shtml

Videos

Virus.DOS11:00

Virus.DOS.OneHalf

Onehalf virus review by danooct1

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.