_____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ _____________________________________________________ INFORMATION BULLETIN One_half Virus (MS-DOS) September 13, 1994 1600 PDT Number E-34 _____________________________________________________________________________ PROBLEM: A previously unknown computer virus is damaging systems. PLATFORM: All MS-DOS, PC-DOS, Windows systems, all versions. DAMAGE: Damages files, encrypts hard drive. SOLUTION: Update your Anti-Virus program to detect/remove the virus. _____________________________________________________________________________ VULNERABILITY While it is not epidemic, the virus has been seen at an East ASSESSMENT: coast site and it isn't detected by the current versions of most virus scanners (revised versions are upcoming.) The virus is intentionally damaging and all files on an infected machine are at risk. Warning: Removing the virus may make some files inaccessible (see below.) _____________________________________________________________________________ Critical Information about the One_half Virus CIAC has received information about a new computer virus named One_half. The virus, first discovered in April 1994 and previously seen only in Europe, has been found at an East coast site in the United States. The virus is intentionally damaging and all files on an infected machine are at risk. Removal of the virus without first saving critical files could render those files unrecoverable (more below.) Symptoms -------- Symptoms of the infection include problems connecting to a file server, changes in file sizes, an inability to start Windows, an inability to boot a system and damaged files. If a suspicious activity detector, such as DDI's VirAlert program, is installed, it intercepts an attempt to write to the master boot record of a hard drive when an infected file is run. If the master boot record is already infected, VirAlert warns that system interrupt 21 is pointing to a non-existent block of memory when the system is booted. Virus Morphology ---------------- When an infected file is run, the virus attacks the master boot record of the hard drive. It copies the original master boot record to a sector that is eight back from the end of the first track and modifies the master boot record to run the virus code. The remainder of the virus code is found in the last seven sectors of the first track on the hard disk. The following strings are in clear text in the virus code. Dis is one half. Press any key to continue ... Did you leave the room ? The virus also contains the names of several prominent antivirus products; SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE, MSAV The virus is multipartite, infecting .COM and .EXE files as well as the master boot record. The virus adds 3544 bytes to .COM and .EXE files. The virus is polymorphic and changes its appearance with every infection by inserting different do-nothing instructions between the actual commands in the virus code. The virus is a stealth virus and actively hides the infection in the first track. With the virus in memory, any examination of the first track on the hard drive will see only the normal master boot record in the first sector and empty sectors for the rest of the track. The virus is intentionally damaging. Every time an infected machine boots, the virus encrypts two cylinders of the DOS partition of the hard drive starting with the highest numbered cylinder and progressing to lower numbered ones. The virus then hides the fact that it is encrypting the hard drive by decrypting any of the encrypted sectors whenever they are accessed by the system. Only with the virus out of memory do you see the encrypted sectors. Detection and Removal --------------------- ========================================================================== WARNING: Because of the encryption the virus does, be sure you copy any important files to a floppy disk or tape before removing the virus. The CHK_HALF program described below does not decrypt any encrypted cylinders, so when the virus is removed, the encryption key is lost with it and any files in the encrypted cylinders are lost. =========================================================================== DDI has made a detection/removal utility available named CHK_HALF. This program must be run from a machine that was booted with a KNOWN, CLEAN, LOCKED floppy to insure that the virus is not in memory. When CHK_HALF is run, it scans the current drive and master boot record and removes any virus infections it finds. The utility does not scan memory first and will not work correctly with the virus in memory, so be sure the system was booted with a clean, locked floppy. The utility also does not decrypt any encrypted cylinders, so be sure to copy any important files before removing the virus. 1. Save on a floppy disk or tape any irreplaceable files before attempting to scan or clean a system. If the files are in one of the encrypted sectors, the virus must be in memory for them to be retrieved. If any of these files are executables, be sure to scan them before putting them back on a cleaned machine. 2. Boot your system with a clean locked floppy to insure the virus is not in memory. 3. Run the CHK_HALF.EXE program to scan and remove the virus. Delete any files that CHK_HALF was not able to clean. 4. Run a disk maintenance utility such as that included in Norton Utilities or PC Tools to locate and repair damaged directory structures and files caused by encryption of the cylinders and by the bug in the virus. 5 Replace any damaged or missing files on the system. The file CHK_HALF.ZIP is available on the CIAC file servers. Use anonymous FTP to connect to ciac.llnl.gov (128.115.19.53) and find the file in the /pub/ciac/sectools/pcvirus directory. The CRC-32 checksum from pkzip for the file is: e02bf70a, and its expanded file length is 14,024 bytes. Version 4.0E of the Department of Energy's site licensed antiviral product, Data Physician Plus!, will be available the week of Sept. 12, 1994 and will detect and remove this virus. Other antivirus software which detect this virus include Dr. Solomon's Antivirus Toolkit version 6.65 (currently available), Norton's AntiVirus October 1 monthly update, and McAfee Scan version 2.11, which is scheduled for shipping in mid-September, F-PROT version 2.14a, scheduled for the end of September. _____________________________________________________________________________ CIAC wishes to thank Bill Kenny of DDI for spending his Labor day weekend laboring to write a detection/removal package for this virus so we would have it on Tuesday morning. _____________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: 510-422-8193 FAX: 510-423-8002 STU-III: 510-423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from ciac.llnl.gov (IP address 128.115.19.53) formerly irbis.llnl.gov. CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information, and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. CIAC's mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and "PhoneNumber" when sending E-mail to ciac-listproc@llnl.gov: subscribe list-name LastName, FirstName PhoneNumber e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36 You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. _____________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending E-mail to first-request@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.