NASIRC BULLETIN #94-30: DANGEROUS DOS/WINDOWS VIRUS ('ONE_HALF') FOUND

Date: 26 Sep 94 12:49:00 CST
Subject: VIRUS

1. The following was received by NASIRC (NASA Automated Systems Incident Response Capability.

NASIRC recently received notification of the discovery in the U.S. of a dangerous virus called "One_half", previously seen only in Europe, that damages files and encrypts the hard drive on DOS and Windows computers. The current versions of most virus scanners do not recognize/detect this virus (although new versions are expected shortly). One_half is capable of damaging all the files on an infected disk.

SYSTEMS AFFECTED:

All systems running any version of MS-DOS, PC-DOS, DR-DOS, or Windows.

THE PROBLEM:

One_half was originally discovered in Europe in April 1994. It causes d amage in two ways. The first time an infected executable file is run, the virus loads itself into memory and attaches itself to all .COM and .EXE files on the system's hard drive. It then begins to encrypt the hard drive, potentially making all files in the encrypted cylinders unrecoverable if the virus is removed (see details below).

When an infected file is run, One_half attacks the hard drive's master boot record. It copies the original master boot record to a sector that is eight back from the end of the first track, then modifies the master boot record to run the virus code. The remainder of the virus code is placed in the last seven sectors of the first track on the hard disk.

One_half is intentionally damaging. Every time an infected machine is booted, the virus encrypts two cylinders of the hard drive's DOS partition, starting with the highest numbered cylinder and progressing to lower numbered ones. As long as One_half is in memory, this encryption is hidden from the user because the encrypted sectors are decrypted any time they are accessed by the system.

Symptoms of infection by the One_half virus:

problems with connections to file servers
.COM and .EXE files grow by 3544 bytes
files may be damaged and become unusable
Windows cannot start
the system cannot boot up
a suspicious activity detector (e.g., DDI's VirAlert) may warn that system interrupt 21 is pointing to a nonexisting block of memory when the system is booted (if the master boot record is infected).

Morphology of the One_half virus:

It is multipartite, and can infect .COM and .EXE files as well as the master boot record.
It is a stealth virus; it actively hides the infection in the first track of an infected disk. If the virus is in memory, an examination of the first track by anti-viral software will show only a normal master boot record in the first sector and empty sectors in the remainder of the track.
It is polymorphic; it changes its appearance with every infection by shuffling different do-nothing instructions between the actual commands in the viral code.

The following strings are in clear text in the virus code:

Dis is one half.
Press any key to continue....
Did you leave the room?
The virus code includes the names of several well-known anti-viral packages: SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE, and MSAV.

THE FIX:

WARNING--You must copy any important NON-EXECUTABLE files to floppy or tape *BEFORE* removing the virus from the system! Otherwise, the encryption key used by One_half will be lost when the virus is removed and your files will remain encrypted and unusable! (DO NOT copy any .COM or .EXE files, or you will simply be re-infecting your system.) DDI has made available a detection/removal utility called CNK_HALF. It must be run from a machine that was booted with a KNOWN, CLEAN, LOCKED floppy to insure that the virus is not in memory. When CHK_HALF is run, it scans the current drive and master boot record and removes any virus infections it finds. The utility does not scan memory first, and thus will NOT work correctly with the virus in memory, so be sure the system was booted from a clean, locked floppy. Also, the utility does *NOT* decrypt any encrypted cylinders, so be sure to copy any important files to floppy or tape BEFORE removing the virus, or they will be unusable!

CHEK_HALF.EXE is available from the NASIRC Anon FTP server at the URL:

ftp://nasirc.nasa.gov/home/kits/ftp/toolkits/DOS/chk_half.zip

If the above URL doesn't work, please read this

Remember that this file must be transferred in binary mode!

Save any irreplaceable files onto floppy or tape before you attempt to scan or clean a system. If the files are in one of the encrypted sectors, the virus must be in memory for them to be retrieved. Be sure to scan any executables BEFORE putting them back on a cleaned machine.
Boot your system from a clean, locked floppy to insure the virus is not in memory.
Run CHK_HALF.EXE to scan for and remove the virus. You should delete any files that CHK_HALF was not able to clean.
Run a disk maintenance utility like those included in Norton Utilities or PC Tools to locate and repair directory structures or files damaged by the virus.
Replace any damaged or missing files on the system.

Other anti-viral packages to combat One_half in the near future include:

Version 4.OE of the Department of Energy's site-licensed antiviral product "Data Physician Plus!" (available the week of September 12, 1994)
Dr. Solomon's Antivirus Toolkit V6.65 (currently available)
Norton's AntiVirus (the October 1 monthly update)
McAfee Scan version 2.11 (scheduled for shipping in mid-September)

CHECKSUMS:

CIAC states that the pkzip CRC-32 checksum for the chk_half.zip file is 02bf70a, and its length when expanded is 14,024 bytes.

NASIRC will continue to monitor this situation and will post additional information should it become necessary. If you have any questions about this bulletin, please contact NASIRC via any of the venues below.

NASIRC ACKNOWLEDGES: The Department of Energy's CIAC team for disseminating this information in a rapid and timely manner. Additional thanks go to Bill Kenny of DDI for spending his Labor day weekend laboring to write a detection/removal package for One_half.

For further assistance, please contact the NASIRC Helpdesk:

Phone: 1-800-7-NASIRC  Fax: 1-301-441-1853
Internet Email: nasirc@nasa.gov
24 Hour/Emergency Pager: 1-800-759-7243/Pin:2023056 STU-III: 1-301-982-5480

This bulletin may be forwarded without restriction to sites and system administrators within the NASA community. The NASIRC online archive system is available via anonymous ftp. You will be required to enter your valid e-mail address as the "password". Once on the system, you can access the following information:

        ~/bulletins              ! contains NASIRC bulletins
        ~/information            ! contains various informational files
        ~/training               ! contains NASIRC course abstracts
        ~/toolkits               ! contains automated toolkit software

The contents of these directories are updated on a continuous basis with relevant software and information; contact the NASIRC Helpdesk for more information or assistance.