Articles, Blog

Virus.DOS.OneHalf

December 17, 2019


Hello everyone. Today we’re taking a look at one of my personal favourite DOS viruses, just because it’s so unique in its payload, and just everything it really does. Called OneHalf. And um, I’d like to apologize for the quality. I mean this is probably the best I can do. I’m looking into getting a VGA capture card, but for now I would really like these videos to be in high definition and I just so happen to have this camcorder that picks up on this CRT really well at 1080p. And I’ve noticed a lot of confusion, especially in my latest video and across all my videos really, where people are arguing back and forth “No he’s using VMware”, “No he’s using Virtual PC”, “No it’s a standalone”, “No it is a virtual machine you stupid idiot get off these videos or I kill you”, All this stuff. Alright. Anyway, let’s clear the air right now. If you notice I’m using a screen recorder. It’s very crisp, very clear like a normal resolution we would never see and hear regular resolution I guess on like Windows 95 or 98. That is a virtual machine I record using Virtual PC and Camtasia Studio and this this is a physical standalone DOS machine from the early 1990s. Packard Bell Legend 316 SX running on a 386 processor with 2 megabytes of RAM. This does have a legitimate CRT monitor, and as you can see there is a little problem with the refresh rate but this one’s not so bad, especially if you’ve seen my one on failure of a computer review on one of my Toshiba laptops. I just probably gave a seizure to just about everybody watching it. Anyway let’s get to the virus. Explained this for far too long already. Anyway, as you can see here we are operating on a very small partition. Smaller than usual. If you notice the bottom where we have 1 million bytes free – That is one megabyte. Now I installed DOS on a 7 megabyte partition so that we can see OneHalf activate more quickly. We’ll go ahead and run it now. “ERROR: File is not found.” But – this is a false error message, and OneHalf is now in the system. We can run a .com or .exe file. As you can see it takes a little while for them to activate, longer than usual. And this is because OneHalf will infect them. It also affects the Master Boot Record of the hard drive and also infects every floppy disc used in the system to facilitate in its spread. Go ahead and change the date really quick. Alright. It’s not as active in the system. We do have this, if you look back at the [record listing], we have a file called boot.com and it does what the name would suggest. It boots the machine. We’re going to go ahead and edit our autoexecute.bat file. We will add in [command] to run reboot.com. Save it, okay. Now before we do that, as you can see it’s all normal. We look at our config.sys file. We’ve got our settings right here – FILES=30, DOS=HIGH, alright. Loads DOS in large amount of memory, and we look at the files we have installed. I mean this is a regular vanilla install of DOS 6.22. Nothing’s been added or deleted from it, and other than the very small partition size, it’s just about any other install that I’ve ever done. Now MS-DOS 6.22 does come with a pretty crappy antivirus software called VSafe. And uh, press Alt and V, the other bunch of menus check and it’ll check for viruses. It doesn’t do a very good job but it does find some that were in its definition database. As you can see it works, and we can unload it from the memory by hitting Alt+U and now it’s not scanning for viruses anymore. So anyhoo, we’ll go ahead and restart and we’ll see our reboot.com program start to activate. Now what OneHalf does is on every boot, the Master Boot Record routine that it has replaced, gets control. It enumerates the hard drive and finds the last two sectors of the disc. Was a very small last two cylinders rather. A very small section of the disk. It will take those and encrypt them with a random key. It can store that key in its body. Now every time the computer starts it gets the drive, goes back to those last two cylinders, counts forward two more cylinters – cylinders and encrypts those under the key. Whenever any data that is encrypted is accessed, OneHalf will decrypt it on the fly. So say you have a text document that ends up getting encrypted and you want to look at it – you wouldn’t notice it’s wrong because OneHalf would intercept your attempt to read it, and it would display the regular, the uh regular text document because it has the key in its system. I hope I’m explaining this alright; I’ll write it out in the description a little more, if you’re a little confused. So as you can see, all reboot.com is doing is rebooting machine over and over as soon as it gets to that line in autoexec.bat. And while this is happening, OneHalf is slowly encrypting the hard drive from the end to the middle. Now when it reaches the 50% mark you’ll see its payload, where it prints a message to the screen. And here we have the payload of the virus, after quite a few restarts. We have a simple message on load up. “Dis is one half. Press any key to continue …” Now that’s pretty odd, I wouldn’t expect any of my programs printing that out when I’m loading the computer. Now why does it print this? Well, basically saying “This is one half.” OneHalf has now successfully encrypted the last half of your hard drive. Any data stored within that last half of the hard drive is now encrypted by OneHalf. Any time that data is accessed OneHalf will decrypt it as long as OneHalf has not been removed from the system. Now, ‘n’ they sound alright. You don’t want to live with a- Sorry. You don’t want to live with a virus on your computer. I mean, that’s pretty bad idea. So as you see we’re still with booting here. We’re going to go ahead and turn off the computer at the Power (holding the) Button, if I can find it in the dark. I cannot navigate. K. Now, we got our MS-DOS boot disk. Plug that in here. We’re gonna boot up. I guess the floppy drive is a little upset with me tonight. Anyway, I’m going to show you what happens here to improperly remove the one half virus by simply overwriting the Master Boot Record with a clean version. This is insanely bad way to remove this virus. There were several tools actually written by antivirus companies, to remove the OneHalf virus. And this is not the method you were supposed to use. But what fun are these videos if we don’t lose data? I mean really. That’s the reason you’re here. You want to see giant animated flames, giant skulls with glowing eyes, scrolling text flying everywhere, bouncing balls, everything. And that’s what these old viruses really did to us. That’s why I really like them. I get, also get a lot of requests to newer malware, and I really don’t want to do that. I mean one thing, if you want newer malware that gets in your face you can go check out my friend rogueamp’s channel. The link’s in the description. He looks at rogue antiviruses and ransomware, and that’s all relatively new stuff. He will tell you how to remove it as well if you ever get it on your computer. It’s pretty interesting. On the other side of malware today is pretty much all designed to make money as silently as possible. The majority of videos I could do will just be looking at a desktop and explaining to you what the virus is doing and that would be the entire thing because there’s nothing to really show you. It doesn’t get in your face, it doesn’t say “Dis is one half.” It doesn’t print bunch of Windows red error messages across the screen and make your hard drive crash, tell you “Seem like your bad dream come true”, any of that crap? No. It doesn’t do anything except steal your data, steal your money, steal your banking info. So anyway let’s go ahead and improperly remove the OneHalf virus. We’ll do fdisk, and then the switch /mbr which replaces the Master Boot Record on the hard drive with a clean copy from MS-DOS. Now that that’s done, gonna go ahead and reboot. Ctrl Alt, Delete. I do hope you enjoyed this video. It’s one of the more technical videos where I have to explain a lot of what’s going on. It’s not AS, well as interestings, it’s really interesting to me but might not be as interesting to you as some of the ones that are more graphical and WHOA, what is happening here? As we notice the computer has booted up and we’re not rebooting. I mean I didn’t remove the reboot.com file from autoexec.bat, so what’s happening here? Well first thing we got an unrecognized command in config.sys so that would normally come about from an improperly typed in command. But it was working fine before, and why are we printing these weird characters that is trying to run as an executable? So let’s.. check this stuff out. edit config.sys, and whoa. Don’t think that’s actually a valid command. You know, something’s telling me that, look at autoexec.bat… ah.. yeah. That’s that’s not what was in there before, I’m pretty sure it was some other stuff you know, like reboot.com. And if we look around in our files… Uh, the command interpreter usually doesn’t hang the machine. In fact it kind of lets DOS run. So what’s happened is, we have removed the OneHalf virus. This removes the ability to decrypt our data on the fly, which removes the decryption key, which means our data is now totally lost if it was stored on the last half of the hard drive. Now normally our hard drive would be very large or at least much larger than seven megabytes. I mean the actual size of this hard drive in this computer is 100 megabytes. So imagine you had that full of documents, and now almost all your hard drive is an unintelligible mess of garbage characters. You can see this virus be pretty devastating and uh, just really nasty. Just one of the reasons I really like it. It’s not in your face, it’s very subtle really, announcement that it’s on your system is “Dis is one half.” After it encrypts half your hard drive. And I do hope you’ve enjoyed this video. I do hope you’ve enjoyed my other videos. Thanks for watching.

13 Comments

  • Reply Venancio Hernandez Chumillas May 26, 2019 at 8:22 pm

    D I S I S O N E H A L F

  • Reply pingvin66666 June 8, 2019 at 8:39 pm

    Damn, my 286 was infected with this virus when I was a kid ๐Ÿ˜€ I had no idea about why are my games not starting up, I had to use my backup floppies to copy them again to the hard drive. I used the Volkov Commander, and it has a very nice feature, you can check what programs are in the memory and you can kill them. The shortcut was maybe ALT+F5 to this feature, if I remember right, but it's very blurry, it was more than 15 years ago. The OneHalf virus was there, with it's name. I had no antivirus on my 286, so I had to kill OneHalf from the memory every time when I booted up or accidentally executed infected file + re-copy my games to use them. I did this for about a week, until I could download some antivirus from the internet in my school. I used Thunderbyte Antivirus I think, I remember that I used 5-6 disks in school to have backups of the AV until I get home. ๐Ÿ˜€

  • Reply Chutney June 16, 2019 at 11:32 pm

    inb4 Thanos joke

  • Reply Ethy June 22, 2019 at 11:08 pm

    OneHalf: Remove me. I dare you.

  • Reply LOPEZ_ TYUBKK_ July 14, 2019 at 8:13 am

    WHO NEED CRACK OF HALF-LIFE ONE????

  • Reply Fabian Leiva July 20, 2019 at 4:51 am

    dis is your job gone, probably

  • Reply Veggieoskibroski August 14, 2019 at 4:58 am

    What about using DOSbox to run these? DOSbox inside VM will do just fine
    Try it, you can use whatever for capturing

  • Reply Veggieoskibroski August 14, 2019 at 5:09 am

    Pls do more dos viruses
    Pls

  • Reply T. V. August 18, 2019 at 4:10 pm

    Thanos virus

  • Reply Jacky Gunawan August 27, 2019 at 6:58 am

    You know i like MALWARE and VIRUSES??????

  • Reply Lorrin Playz September 2, 2019 at 5:57 pm

    PACKARD BELL
    America love grew up listening to us, it still does
    GAGAGAGAG
    WEWEWEEWEEEWEW

  • Reply Rebel Fleet Trooper October 18, 2019 at 11:41 am

    Grrnnnnnn, grrrrrrrrrrnnnnnn… Beep…

  • Reply Martin Lesko December 15, 2019 at 9:07 pm

    I imagine if somebody of you here knows that this virus is from Slovakia.

  • Leave a Reply