Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Dis is one half... (PC)

195 views
Skip to first unread message

azza...@student.gu.se

unread,
May 2, 1997, 3:00:00 AM5/2/97
to

When I start ny computer i get
"Dis is one half.
Press any key.." message right after ROM messages and before starting
operating system.

I wondering if it can be a virus????????.

Tanks.


Jorge Luis Ponciano Novoa

unread,
May 4, 1997, 3:00:00 AM5/4/97
to

azza...@student.gu.se wrote:

>When I start ny computer i get
>"Dis is one half.
>Press any key.." message right after ROM messages and before starting
>operating system.

Your hard disk is infected with the ONE HALF virus, which is a boot sector
virus. Everytime your booting from your infected drive, the virus will
start to encript it, and then when it get into your half size of your
drive, and off course half one is also encripted, you will get the message
that your Disk is one half. As longer as I know most of the antivirus
programs will detect it and eliminated but the problem will be with drive.
There is no way you can decript the information that has been encripted in
your drive, which in this situation you must do a low level format to get
a complete use of your total space available from your drive. If you want
to try an Antivirus, you can download Thunderbyte v8.0 from
www.thunderbyte.com in english or www.thunderbyte.com/mx in spanish

Jorge Ponciano
ThunderByte PERU (Latin America)
jl...@amauta.rcp.net.pe


bullwinkle

unread,
May 4, 1997, 3:00:00 AM5/4/97
to

In article <0028.01IIFN...@csc.canterbury.ac.nz>,
azza...@student.gu.se says...

>When I start ny computer i get
>"Dis is one half.
>Press any key.." message right after ROM messages and before starting
>operating system.
>

>I wondering if it can be a virus????????.

Yes. It appears you have the symptoms of the "One_half" virus. Please see
this description (pay close attention to the "warning" section at end):

++++++++++++ begin virus description +++++++++++++
Name: One_Half
Alias: Slovak Bomber, Explosion-II, Freelove
Size: 3544
Type: Stealth MBR COM/EXE-files

One_Half, which is also known as Slovak Bomber, Freelove or Explosion-II,
was first discovered in May 1994. The virus has been found both in USA and
Europe. One_Half is a destructive virus: its removal may cause files to
be damaged.

One_Half is a multipartite virus. It infects hard disk MBRs and COM and
EXE files. Infected files grow by 3544 bytes. The virus is also
polymorphic, so its appearance changes between every infection.

Besides the aforementioned features, One_Half employs stealth virus
techniques. When the MBR of an infected hard disk is examined, the virus
shows the original contents of the MBR. It makes the other sectors on the
zero track seem empty, although in truth they contain a part of the virus
code and the original MBR.

The following, unencrypted texts can be found inside the viruse's code:

Dis is one half.
Press any key to continue ...
Did you leave the room ?

The virus also contains the names of many anti-virus products:

SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE, MSAV

One_Half is a destructive virus. Every time an infected computer is
booted, the virus encrypts the last two unencrypted cylinders on the first
disk partition. This way, the encrypted area slowly creeps toward the
disk's beginning. When information is retrieved from the encrypted area,
the virus decrypts it on the way, so the user doesn't notice anything out
of the ordinary.

The encrypted information stays encrypted while the virus is not resident,
so the true nature of things is revealed only after the computer is booted
from a diskette or after the virus is removed. If One_Half is removed from
a hard disk's MBR without first making a backup copy of the computer's
data, it is almost impossible to restore the encrypted information on the
hard disk; the virus stores both the encryption key and information about
the location and extent of the encrypted area inside its own code in the
MBR.

The encryption does not take place at all if the machine is running MS-DOS 6.

WARNING: Because of the encryption the virus does, make sure you copy any
important files to a floppy disk or tape before with the virus resident
before removing the virus.

[Analysis: Mikko Hypponen, Data Fellows Ltd's F-PROT Professional Support]
++++++++++++ end virus description +++++++++++++


Peter M.

unread,
May 5, 1997, 3:00:00 AM5/5/97
to

Jorge Luis Ponciano Novoa <jl...@amauta.rcp.net.pe> wrote:

> Your hard disk is infected with the ONE HALF virus, which is a boot sector
> virus. Everytime your booting from your infected drive, the virus will

One Half is multipartite ...

> that your Disk is one half. As longer as I know most of the antivirus
> programs will detect it and eliminated but the problem will be with drive.
> There is no way you can decript the information that has been encripted in
> your drive, which in this situation you must do a low level format to get

^^^^^^^^^^^^^^^^^^^^^^^
Stop ! That's the worst you can do!

Most of really good antiviral programs are capable to decrypt HD encrypted
by the One Half virus. My suggestion is NOD-ICE antiviral program, available
at

ftp.elf.stuba.sk/pub/pc/sac/nod710.exe
ftp.elf.stuba.sk/pub/pc/avir/nod710.exe

and on all mirrors of this good AV site.

There is also special utility designed to remove One Half virus. As well
as the NOD-ICE is this utility capable to decrypt encrypted disk tracks.

______________________________________________________________________________

Peter Kovac, Comenius University Bratislava

E-mail: ko...@fmed.uniba.sk

______________________________________________________________________________


Francois Paget

unread,
May 5, 1997, 3:00:00 AM5/5/97
to

<azza...@student.gu.se> wrote in Vol10#73

>When I start ny computer i get
>"Dis is one half.
>Press any key.." message right after ROM messages and before starting
>operating system.

This is the ONEHALF virus. Complete description of this virus is
available at :
http://www.mcafee.com/support/techdocs/vinfo/v_0890.html

With each boot, it encrypts the hard disk two cylinders at a time
starting with the end of the first disk partition. When one half of
the drive has been corrupted by the above procedure, the following
messages are displayed:

"Dis is one half."
"Press any key to continue..."

I send directly to you a tools in order to decrypt your hard disk...

Francois PAGET
McAfee
AV Research - Europe


Patrick Noyens

unread,
May 7, 1997, 3:00:00 AM5/7/97
to

On 4 May 1997 12:38:02 -0000, Jorge Luis Ponciano Novoa
<jl...@amauta.rcp.net.pe> wrote:

>azza...@student.gu.se wrote:
>>When I start ny computer i get
>>"Dis is one half.
>>Press any key.." message right after ROM messages and before starting
>>operating system.
>

>Your hard disk is infected with the ONE HALF virus, which is a boot sector
>virus.

More exact : One_Half is a multipartite virus. It infects .COM, .EXE
files and the MBR.

> Everytime your booting from your infected drive, the virus will

>start to encript it, and then when it get into your half size of your
>drive, and off course half one is also encripted, you will get the message

>that your Disk is one half. As longer as I know most of the antivirus
>programs will detect it and eliminated but the problem will be with drive.
>There is no way you can decript the information that has been encripted in
>your drive, which in this situation you must do a low level format to get

>a complete use of your total space available from your drive.

No ,no, no !
A good AV can decrypt the sectors encrypted by the One_Half virus :
for example KAMI's AVP and Dr. Solomon's FindVirus can do so.
You can get evaluation versions from the above pgm's at :
http://www.drsolomon.com/ (Dr. Solomon)
http://www.command-hq.com/ (AVP)
All you need to do is booting from a known clean system disk and
running :
"FINDVIRU /LOCAL /REPAIR" or
"AVPLITE *: /- "

Dear moderator,
How could you resist from reacting on the reply from Jorge Luis
Ponciano Novoa ? Because he seems to be a Thunderbyte representative,
people tend to take his word and would start low level formatting
their HD to remove One_Half... Of course, this was a *very* bad
advise.

-Patrick-
- ------------------------------------------------------------------------------
E-mail : patrick...@ping.be
PGP-key available on request.
Key fingerprint = 01 31 60 FF C2 0F D4 A7 D2 83 64 FE 3E 3F 83 79

[Moderator's note: In reply to Patrick's question, I quite simply missed
it. On re-reading it (once posted) I think my normal reaction would have
been to write back to Jorge and ask if he really wanted to post such
advice, explaining why I thought it inappropriate.]


0 new messages