ONE -- HALF VIRUS

Information about the One-half virus:

This is a multipartite DOS virus that infects COM and EXE files under DOS and partition table (MBR) of hard disks. The virus stays in memory when the computer is booted from an infected disk. When the virus is active in the memory, it will be infecting all the EXE and COM files opened or executed in the floppy and network drives. It will not infect files in the hard disk. The virus infects the partition table of the hard disk the first time it infects the computer. The virus adds 3518, 3544 or 3577 bytes while infecting the file depending on the perticular variant of this virus. One-half is a stealth virus so it tries to hide its presence. It also tries not infect some anti-virus programs like SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE and MSAV.

The virus contains the following text:

Dis is one half.
Press any key to continue ...
Did you leave the room ?

One-half virus encrypts the infected hard disk contents. Each time the computer is booted the virus encrypts 2 cylinders of the hard disk from the end. The last encrypted cylinder number and the encryption keys are stored in the partition table of the had disk.When the virus is in memory, it decrypts the data when it is accessed so the user will not notice the encryption taking place. The encrypted data will be lost if the virus is removed from the partition table without decrypting the data first. When Protector Plus detects one-half, it decrypts the data first and then removes the virus.

One-half virus first appeared in 1995 and it is in the wild.

Other names of One-half virus:
This worm is also known as onehalf, free love, dis, onehalf.madjid, onehalf.3518, onehalf.3544, onehalf.3577 and slovak bomber.