INFORMATION BULLETIN

E-34: One_half Virus (MS-DOS)

PROBLEM:        A previously unknown computer virus is damaging systems.
PLATFORM:       All MS-DOS, PC-DOS, Windows systems, all versions.
DAMAGE:         Damages files, encrypts hard drive.
SOLUTION:       Update your Anti-Virus program to detect/remove the virus.

VULNERABILITY   While it is not epidemic, the virus has been seen at an East
ASSESSMENT:     coast site and it isn't detected by the current versions of
                most virus scanners (revised versions are upcoming.) The 
                virus is intentionally damaging and all files on an infected
                machine are at risk. 
                Warning: Removing the virus may make some files inaccessible 
                (see below.)

Critical Information about the One_half Virus

CIAC has received information about a new computer virus named One_half. The virus, first discovered in April 1994 and previously seen only in Europe, has been found at an East coast site in the United States. The virus is intentionally damaging and all files on an infected machine are at risk. Removal of the virus without first saving critical files could render those files unrecoverable (more below.)

Symptoms

Symptoms of the infection include problems connecting to a file server, changes in file sizes, an inability to start Windows, an inability to boot a system and damaged files. If a suspicious activity detector, such as DDI's VirAlert program, is installed, it intercepts an attempt to write to the master boot record of a hard drive when an infected file is run. If the master boot record is already infected, VirAlert warns that system interrupt 21 is pointing to a non-existent block of memory when the system is booted.

Virus Morphology

When an infected file is run, the virus attacks the master boot record of the hard drive. It copies the original master boot record to a sector that is eight back from the end of the first track and modifies the master boot record to run the virus code. The remainder of the virus code is found in the last seven sectors of the first track on the hard disk. The following strings are in clear text in the virus code.

• Dis is one half.
• Press any key to continue ...
• Did you leave the room ?

The virus also contains the names of several prominent antivirus products;

    SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE, MSAV 

The virus is multipartite, infecting .COM and .EXE files as well as the master boot record. The virus adds 3544 bytes to .COM and .EXE files.

The virus is polymorphic and changes its appearance with every infection by inserting different do-nothing instructions between the actual commands in the virus code.

The virus is a stealth virus and actively hides the infection in the first track. With the virus in memory, any examination of the first track on the hard drive will see only the normal master boot record in the first sector and empty sectors for the rest of the track.

The virus is intentionally damaging. Every time an infected machine boots, the virus encrypts two cylinders of the DOS partition of the hard drive starting with the highest numbered cylinder and progressing to lower numbered ones. The virus then hides the fact that it is encrypting the hard drive by decrypting any of the encrypted sectors whenever they are accessed by the system. Only with the virus out of memory do you see the encrypted sectors.

Detection and Removal

DDI has made a detection/removal utility available named CHK_HALF. This program must be run from a machine that was booted with a KNOWN, CLEAN, LOCKED floppy to insure that the virus is not in memory. When CHK_HALF is run, it scans the current drive and master boot record and removes any virus infections it finds. The utility does not scan memory first and will not work correctly with the virus in memory, so be sure the system was booted with a clean, locked floppy. The utility also does not decrypt any encrypted cylinders, so be sure to copy any important files before removing the virus.

1. Save on a floppy disk or tape any irreplaceable files before attempting to scan or clean a system. If the files are in one of the encrypted sectors, the virus must be in memory for them to be retrieved. If any of these files are executables, be sure to scan them before putting them back on a cleaned machine.
2. Boot your system with a clean locked floppy to insure the virus is not in memory.
3. Run the CHK_HALF.EXE program to scan and remove the virus. Delete any files that CHK_HALF was not able to clean.
4. Run a disk maintenance utility such as that included in Norton Utilities or PC Tools to locate and repair damaged directory structures and files caused by encryption of the cylinders and by the bug in the virus.
5. Replace any damaged or missing files on the system.

The file CHK_HALF.ZIP is available on the CIAC file servers. Use anonymous FTP to connect to ciac.llnl.gov (128.115.19.53) and find the file in the /pub/ciac/sectools/pcvirus directory. The CRC-32 checksum from pkzip for the file is: e02bf70a, and its expanded file length is 14,024 bytes.

Version 4.0E of the Department of Energy's site licensed antiviral product, Data Physician Plus!, will be available the week of Sept. 12, 1994 and will detect and remove this virus. Other antivirus software which detect this virus include Dr. Solomon's Antivirus Toolkit version 6.65 (currently available), Norton's AntiVirus October 1 monthly update, and McAfee Scan version 2.11, which is scheduled for shipping in mid-September, F-PROT version 2.14a, scheduled for the end of September.

    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/