posted on March 29, 2001 09:29:49 AM
After noticing an alarming slowdown in my computer's performance, I ran "housecall" only to find that I am infected with the ONEHALF.3544* virus. I spent a few hours last night trying to remove the virus, without success. Most of the anti-virus preview software I've tried doesn't even recognize that my system is infect. Apparently, this virus has stealth-like abilities that allow it to go undetected. The only software that recognized the virus was Housecall, however it indicates it is unable to automatically remove it from my system. Does anyone have any ideas on how to remove this virus from my computer. I'll require an Idiot's Guide, as my computer skills are somehwhat limited. Any help would be greatly appreciated. p.s. I realize I have a scolding coming for not running anti-virus software. So give it to me! A lesson learned.
posted on March 29, 2001 09:49:10 AM
I found the following info on McAfee's web site. You're going to need professional help, as this virus has most likely trashed the boot sector of the hard drive.
Virus Name
One Half
Date Added
10/15/94
Virus Characteristics
One Half is a multi-partite, memory resident encrypting virus. One Half specifically targets .COM and .EXE files, the boot sector on floppy diskettes and the Master Boot Record (MBR) (the sector which contains the partition table).
When the first One Half infected file is accessed, the One Half virus will infect the system hard disk's MBR. It does not become memory resident until the system is rebooted from the system hard disk.
When the system is booted from the infected system hard disk, the One Half virus will become memory resident at the top of system memory, but below the 640K DOS boundary. Interrupt 12's return is not moved. Interrupt 21 will be hooked by the virus in memory.
Once memory resident, One Half infects .COM and .EXE files, including COMMAND.COM, when they are accessed. The file's date and time in the DOS disk directory listing will not be altered.
The One Half virus also employs stealth techniques. When the MBR of an infected hard disk is examined, the virus displays the original contents of the MBR. The "encrypted" information stays "encrypted" while the virus is not resident in memory, so the true nature of the system's MBR is not revealed until the virus is removed.
Because of the changes One Half makes on the machine, the original boot sector may be altered and the partition table may be damaged.
One Half is also destructive. With each boot, it slowly corrupts the hard disk two cylinders at a time starting with the end of the first disk partition. When one half of the drive has been corrupted by the above procedure, the following messages are displayed:
"Dis is one half."
"Press any key to continue..."
Additional Comments:
The One Half, or One Half.3544, virus was isolated in October, 1994, in Austria. It has been reported to be "in the wild". One Half is a memory resident multipartite stealth virus which infects the system hard disk's master boot record (the sector containing the partition table), as well as .COM and .EXE files, including COMMAND.COM. When the first One Half infected program is executed, the One Half virus will infect the system hard disk's master boot record. It does not become memory resident until the system is rebooted from the system hard disk. When the system is booted from the infected system hard disk, the One Half virus will become memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 4,096 bytes. Interrupt 21 will be hooked by the virus in memory. Once memory resident, this virus will infect .COM and .EXE programs, including COMMAND.COM, when they are executed, opened, or copied. Infected programs will have a file length increase of 3,544 bytes, though the file length increase will not be visible when the virus is memory resident. The virus will be located at the end of all infected files. The program's date and time in the DOS disk directory listing will not be altered. The following text strings are encrypted within the viral code: "COMMAND" "valid driv" "Dis is one half." "Press any key to continue ..." ".COM .EXE SCAN CLEAN" "FINDVIRU GUARD NOD VSAFE MSAV CHKDSKRSQVW" "Did you leave the rom ?" "Invalid Partition Table" "Error Loading Operating System" "Missing Operating System" It is unknown what One Half does besides replicate. Known variant(s) of One Half are:
Indications Of Infection
This virus will cause .COM and .EXE files to increase in length by 3,544 to 1,042 bytes, with the virus inserted at the end of the file. This increase in the file length is not visible when the virus is memory resident. CHKDSK also reports a decrease of 4,096 of total system and available free memory. This decrease may cause memory conflicts.
One Half contains the following encrypted messages:
"COMMAND"
"valid driv"
"Dis is one half"
"Press any key to continue..."
".COM .EXE SCAN CLEAN"
"FINDVIRU GUARD NOD VSAFE MSAV CHKDSKRSQVW"
"Did you leave the rom ?"
"invalid Partition Table"
"Error Loading Operating System"
"Missing Operating System"
Method Of Infection
Multi-partite viruses have two main routes of infection; either as a Master Boot Record/Boot Sector Virus or as a File Infecting Virus.
Most infections occur when a computer attempts to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred.
Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.
The second route of infection is by receiving an infected file through a multitude of sources including: floppy diskettes, downloads through an online service, network, modem connections, etc. Once the infected file is executed, the virus may activate.
posted on March 29, 2001 10:33:15 AM
If this has messed with the Boot Sector, a plain reformat won't be enough. I don't know enough about it to offer solid advice though. I do know my sister in law had a virus attack their boot sector, and it took a pro to fix it completely.
posted on March 29, 2001 10:38:46 AM
According to norton, a plain reformat will take care of one half's infection of the MBR (master boot record), but the problem is that some of your disk data has been encrypted, and if you just remove the virus, then you lose access to your data. Plus you have to remove it from the other files its infected.
Macafee has a "try their online virus stuff" at:
http://www.macafee.com
might want to try that too.
I'll bet cheap AV software is available on ebay. I got mine "free after rebate" from staples.
