Legends of virus construction: In the vise of an encoder

Summer 1994 was remembered by many. What is it remembered? The answer is not complicated, although more than 15 years have passed, these three lines may cause discomfort for some of the readers “under the spoon”:

Dis is one half.
Press any key to continue…

Did you leave the room?


If you didn’t see it live, let me describe the sensations that see those lines: bewilderment (about 1 minute), banal fear (~ 2 minutes), feverish flow of thoughts ( what is it? What to do? - on average 5 10 minutes), anger ( what the hell ...? ) And again a hectic flow of thoughts and actions (where is this fucking floppy with the Web ?), These are about the borderline emotional feelings felt by the owners of the infected machines.
')
If you have not yet guessed, then it is a virus that most people remember as - OneHalf , although it is also known by other names - Slovak Bomber, Explosion-II, Freelove .

The virus was first detected in May 1994 in the United States and Europe, but it was already late and the virus had already spread widely throughout the world. OneHalf was distributed mainly through removable media (then it was mostly floppy disks). It is extremely remarkable in its properties even now, and at that time it was a new word in the craft of virmasters, if so to speak of course.

Firstly, OneHalf is polymorphic (not the first and far from the last, but modern viruses without polymorphism simply do not survive, for the ignorant polymorphic is considered such a virus, each new copy of which may not coincide with the previous byte in one byte), secondly, the virus was file-boot (infecting the MBR and boot sectors of the diskettes, as well as COM and EXE files), thirdly, the virus body was encrypted, fourthly, before creating normal countermeasures, OneHalf destroyed the data, and last but not least, stealth functionality built into the virus by allowed him to remain invisible to the system.

Now let's look at some of the details.

The encrypted virus body of 3544 bytes in the infected file is located after the end of the file, and the infected file contains 10 “spots” of the decoder code and the “spots” allocation table, which is located at the beginning of the file and also contains information about the beginning offset of the virus body from the beginning a file.

Infected file (increment length 3544 bytes):

• Table of the placement of "spots" code decryptor
• "Spots" that contain the decrypter of the virus body
• Body of the infected file
• Encrypted virus body

File infection mechanism

The epidemic was transmitted by floppy-manual method. When the infected system accessed the diskette for recording, OneHalf intercepted it and checked the size, name (did not touch the files with the names SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE, MSAV, CHKDSK, AIDS, ADINF, WEB ) and the infection of the file. If the size, name did not match the algorithm, or the file was already infected, the infection was not made. If the file was clean and complied with the requirements of the virus, then it was infected.

10 empty places ( “spots” ) were created in the file for recording the decryptor, while Vir created them in a random order, with a single condition - at least 10 bytes between the nearest “spots” . The routing table for placing the “spots” of the decrypter code was located at the beginning of the file, it also stored a random key with which the virus body was encrypted, which was at the end of the infected file. If for some reason the recording did not succeed, the “spots” were destroyed and the file remained clean, otherwise the infected file was written to a floppy disk, waiting for its next victim.

Computer infection mechanism

When using an infected diskette (booting from it or launching an infected file), the virus, using the Int12h own interrupt handler, estimated the size of free RAM and the presence of its copy in it — the Int21h interrupt.

If there was no virus in the memory and it is more than 4 [kB], he looked for signs of infection with the MBR , if there were none, he infected the MBR . To do this, he replaced his original virus load handler in place of the original MBR , then recorded 7 sectors of his body code in 7 sectors from the end of the zero track of the disk in hidden sectors, and after all this, the original MBR in the eighth sector from the end of the zero track of the disk. After writing his body to disk or when an already infected MBR was detected, OneHalf checked the memory and, in the absence of its copy, copied it from disk to memory.

After the virus was loaded into the operative, the steering wheel was in his hands. Next, the villain read the lower bound of the encrypted track from the MBR and, if it did not reach track 7 from the beginning, then vir encrypted two tracks up from the lower boundary of the already encrypted one, using the random key contained in the MBR . If the encryption was successful, the new value of the lower bound of the encrypted tracks was recorded in the MBR . (for work, he used his interrupt handlers Int01h , Int12h , Int1Ch , Int13h , Int21h , Int24h ). If the lower limit reached the 7th track, no encryption was performed to avoid damage to the system disk areas.

Then OneHalf analyzed three parameters: encryption of half of the disk, the multiplicity of the system date of four, and the parity of the infection counter (contained in the body of the virus itself); with a positive test, the message was displayed:

Dis is one half.
Press any key to continue…


and the malware was waiting for the pressing of the “Any” key.

If the parameter check is negative (i.e., half of the disk is not encrypted, the counter is odd, or the system date is not suitable), then the message was not displayed, and the virus gave control to the original loader until the next computer boot, while maintaining its interrupt handlers .

When working, the user did not notice anything, because OneHalf , who was sitting in his memory, intercepted calls to already encrypted tracks and decrypted them on the fly without any brakes, hid the decrease in RAM size and the increment in the length of infected files for all programs except CHKDSK and Norton Commander , but this is nothing it did so because, when trying to trace a virus in memory, it 100% hung the system in a loop without exiting with the help of its int01h interrupt handler .

Depending on the modification of OneHalf, the sizes of increments of the infected files varied, 3544, 3577 or 3518 bytes, in connection with which the antivirus databases of the version called OneHalf.3544, OneHalf.3577 and OneHalf.3518 .

Also in different versions of OneHalf, when encrypting half of the disk, different messages were displayed on the display:

Dis is one half.
Press any key to continue …

Dis is TWO HALF.
Fucks any key to Goping…

HET — u3uke u ucTopuu B pacnucaHuu uy7!

Disk is Tpu half.
(Bepx, Hu3 u Pe6po)

Dis is 3 HALF !.
Fucks any key to LoHing…

A cup of Beer ?.
See you later…

Wrestling

Why did this epidemic occur? I think that was the case. The virus was born somewhere in the winter of 1994, closer to the spring there was a massive spread that continued for several months unnoticed by users and developers of antiviruses. The first news about the fatal lines on the display screens appeared only in May-June, since for a full encryption of a 0.5-GB hard drive, it was necessary to restart the computer about 500 times, which took several months during normal PC operation. Therefore, OneHalf was missed, and the epidemic dispersed, almost becoming a pandemic.

What is important is that to get rid of the virus it was not enough to simply rewrite the MBR , which would only lead to the loss of a key to encrypted data, and as a result, to data loss. For guaranteed deliverance, a delicate work of the antivirus tools was needed, both for neutralizing and decoding data.

The spread of the virus and its modifications occurred for several more years, but not at such an explosive pace, even now it still roams the old diskettes and rare computers.

PS

What can I summarize here? In general, not so long ago, I realized the fact that at school and at the university we were not in vain set up “jibs” (two :) if they fired, that we did not check the diskettes just inserted into the drive for viruses, oh, not for nothing ...

→ OneHalf on f-secure site
→ OneHalf on securelist
→ OneHalf on viruslist
→ About OneHalf on the “Computer-Inform” pages
→ Essay Kaspersky's Essay on the OneHalf virus [ENG]