|Subtype||file and boot infector|
|Point of isolation||Unknown|
|Point of origin||Slovakia|
OneHalf is a DOS-based polymorphic computer virus (hybrid boot and file infector) discovered in October 1994. It is also known as Slovak Bomber, Freelove or Explosion-II. It infects the master boot record (MBR) of the hard disk, and any files with extensions .COM, .SCR and .EXE. However, it will not infect files that have SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE, MSAV or CHKDSK in the name.
It is also known as one of the first viruses to implement a technique of "patchy infection", introduced in Bomber.
OneHalf has about 20 different variants, all with functionally similar behaviour.
OneHalf is known for its peculiar payload: at every boot, it encrypts two unencrypted cylinders of the user's Hard disk, but then temporarily decrypts them when they are accessed. This makes sure the user does not notice that their hard disk is being encrypted like this, and lets the encryption continue further. It also hides the real MBR from programs on the computer, to make detection harder. The encryption is done by bitwise XORing by a randomly generated key, which can be decrypted simply by XORing with the same bit stream again. Once the virus has encrypted half of the disk, and/or on the 4th, 8th, 10th, 14th, 18th, 20th, 24th, 28th and 30th of any month and under some other conditions, the virus will display the message:
Dis is one half.
Press any key to continue ...
OneHalf's unique payload makes removal harder: simply removing the virus and cleaning the MBR will leave the data encrypted, requiring backups to restore it. As such, special tools are needed to decrypt the hard disk before removing the virus. One such tool was developed for SAC (Slovak Antivirus Center) to do this job.
- "One Half Virus". VSUM. Retrieved 13 February 2013.
- "One-half virus". Proland Software. Retrieved 13 February 2013.
- "One Half". ESET. Retrieved 13 February 2013.
- "One_Half". Symantec. Retrieved 13 February 2013.
- "YouTube: danooct1: Virus.DOS.Onehalf Followup/Removal Attempt". danoooct1. 25 September 2013. Retrieved 14 December 2014.