Viral Rewind: Virus.DOS.OneHalf

-----------------------------------------------------------
. OneHalf is a virus that fascinated virus researchers in 1994 when it was first discovered. When loaded from an infected file, OneHalf infects the master boot record of the primary hard disk. Every time the computer boots with the infected MBR it will take the last two cylinders/sectors of the HDD and encrypt them using a XOR bitwise method. Then on the next boot it will encrypt the next two cylinders/sectors and repeat until it has encrypted half of the disk.

The infected MBR will also load OneHalf into memory on each boot thereby enabling it to infect .COM and .EXE files as they're accessed. It also employs stealth capabilities to both hide any file size changes and to decrypt any encrypted files as they're accessed to hide the infection from the user.

Payload: Upon reaching half of the disk being encrypted and the day is 4th, 8th, 10th, 14th, 18th, 20th, 24th, 28th and 30th of any month, OneHalf will halt the boot process with the following message:

" Dis is one half.
Press any key to continue..."

If a user accessed any encrypted files with a boot diskette or wrote a clean MBR over OneHalf's MBR they would not be able to access/read any of the files if they were located on the last half of the HDD. Files that were on the first half of the HDD will not be affected. Proper removal requires using a purpose-built tool to decrypt the last half of the HDD and then installing a clean MBR.

-----------------------------------------------