Virus Database

OneHalf family

Description OneHalf family

These are dangerous memory resident polymorphic multipartite viruses. Being executed they infect the MBR of the hard drive. On loading from infected disk they hook INT 13h, 1Ch, 21h and write themselves to the end of COM and EXE files that are accessed. While infecting a file they check its name, and do not infect the files: SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE, MSAV, CHKDSK.
The virus' decryption routine is divided in several parts that are placed at random offsets in infected files (see "Bomber" virus).
While infecting the hard drive "OneHalf" checks the Partition Table, looks for the last DOS partition - DOS logical disk (FAT-12/FAT-16/BIGDOS), or extended partition, and calculates the first and last cylinders numbers of that disk/extended partition.
It saves the pointer to the last cylinder at the offset 29h in HD MBR. On each booting from HD the virus decreases that pointer with two, and encrypts two cylinders to where that pointer points. On first booting from HD the virus encrypts last two cylinders, on next booting - plus 2 from the end, and so on. So on working the "spot" at the end of the last logical disk/partition grows on 2 cylinders on each booting.
When that "spot" reaches the middle of the disk/partition, the virus may display (according to other conditions: on 4th, 8th, 10th, 14th, 18th, 20th, 24th, 28th and 30th of each month, and if the generation of the virus is even):
Dis is one half.
Press any key to continueall

After loading into the system memory the virus decrypts/encrypts these sectors "on-the-fly", and the corrupted sectors appears in their original form, but after disinfection all the encrypted data is lost.
"OneHalf.3518" does not use polymorphic engine to encrypt itself. It displays:
A20 Error !!!
Press any key to continue ...

"OneHalf.3544.b" does not infect the files: AIDS*.*, ADINF*.*, DRWEB*.*, ASD*.*, MSAV*.*. That virus displays:
Dis is TWO HALF.
Fucks any key to Goping...

"OneHalf.3544.c" does not encrypt the hard drive sectors, this virus displays:
Disk is Tpu half.
(Bepx, Hu3 u Pe6po)

The viruses also contain the strings:
"OneHalf.3544.a": Did you leave the room ?
"OneHalf.3544.b": User is loh !
"OneHalf.3577": DidYouLeaveTheRoom?

OneHalf.Madjid
This virus is not encrypted one, but it encrypts hard drive sectors as well as original "OneHalf". This virus displays the text:
OHHHHH... MADJID
Here is very dark.
HELP ME... HELP ME... HELP...
I am here .They kill the love .I am solitary .
Press RETURN for continue

Check other viruses! Be aware! Use Antiviral Software

Spooky Family

Description Spooky Family

These are very dangerous overwriting viruses. "Spooky.215,228" are nonmemory resident, they search for .COM files and infect them. "Spooky.314" hooks INT 21h and stays memory resident. It then overwrites all files that are executed.
The viruses display the messages:
"Spooky.215": [Krautfresser written by Spooky]
1996 Austria
"Spooky.228": 4711 written by Spooky. Austria 1996
"Spooky.314": ReIncanation written by Spooky. Austria 1996
Befehl oder Dateiname nicht gefunden.

Spring Family

Description Spring Family

These are not dangerous memory resident parasitic viruses. They hook INT 21h and write themselves to the end of COM and EXE files that are executed.
"Spring.768" contains the text string "Spring". This virus sometimes manifests itself by a video effect.

Home