OneHalf.3544.A
Analysis
- Virus is multipartite, infecting the MBR and DBR
of floppies, as well as .EXE and .COM files
- Viral body is 3544 bytes, and is stealth by hiding
file size changes in .EXE and .COM files infected
- .EXE and .COM files increase in size by 3544 bytes
- If infected floppy is in pc upon boot, virus code
may be transferred to system MBR and become memory
resident at next system boot
- Unless a floppy is write-protected, it becomes
infected when accessed from an infected pc
- Virus encrypts two cylinders of the hard drive beginning from the end position, at each system boot, until at some future time, only one half of the hard drive remains unencrypted - the virus decrypts the encrypted locations on the fly while in memory