| Alias: | Slovak Bomber, Explosion-II Virus |
| Strain: | --- |
| detected when: | |
| where: | |
| Classification: | File (COM&EXE) infector, HD Masterboot record (MBR) infector |
| Length: | 4 kilobyte(s) {[0:412] - 4} |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | All models |
| Computer model(s): | PC's |
| Caroname: | One_Half.3544 |
Attributes | |
| Easy identification: | --- |
Type of Infection: | File infection: virus appends itself to files. Bootsector infection: Selfrec in memory: INT_21;AX=4B53 -> AX=454B Selfrec on disk: if word [MBR+25]=00D3 then already infected. |
| Infection Technique: | |
| Infection Trigger: | (MBR system code = 1,4,5,6) and([MBR:25]<>00D3) and([MBR:180]<>072E) |
| Storage Media affected: | Harddisks |
| Interrupts hooked: | 0113/0213/031C21/1121/1221/3C21/3D21/3E21/4B002 1/4C21/4E21/4F21/5621/5B21/6C0024 |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | Virus hides the entry point. |
| Encoding Method: | |
| Damage: | Transient: --- Permanent: --- |
| Damage Trigger: | Transient: --- Permanent: --- |
| Particularities: | - Virus resides above last MCB. - Virus disables INT 1 and INT 3. - Displayed text: 'Dis is one half. ' 'Press any key to continue ...' - Not displayed text: 'Did you leave the room ?' - Virus recognises the following programs "by name":SCAN, CLEAN, FINVIRU, GUARD, NOD, VSAFE, MSAV. - Virus specially checks for execution of CHKDSK |
| Similarities: | --- |
Agents | |
| Countermeasures: | ONEHALF.EXE |
| Standard means: | |
Acknowledgements | |
| Location: | |
| Classification by: | Igor G. Muttik |
| Documentation by: | Igor G. Muttik |
| Date: | 24-April-1994 |
| Information Source: | CaroBase entry, converted S.Freitag VTC Hamburg |
(c) 1996 Virus-Test-Center, University of Hamburg