Virus Name: Ow Virus Type: File Infector Virus (infects .COM files) Virus Length: No change
PC Vectors Hooked: None Executing Procedure: 1) Searches for and infects all uninfected COM files in the current directory. Damage: Overwrites original files, so the length of infected files won't increase. Note: 1) Doesn't stay resident in memory. 2) OW doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).
Virus Name: One_half Virus Type: File Virus Virus Length: 3,544 bytes Description: This virus infects *.COM and *.EXE files as well as COMMAND.COM Interrupt vectors hooked: INT 21h. Infection method: 1) When an infected file runs, the virus loads itself in memory. While loaded, it infects any accessed, executable files or boot sectors. 2) The DOS CHKDSK program will show a "total bytes memory" decrease of 4,096 bytes. 3) Infected .COM and .EXE files increase by 3,544 bytes. Damage: Under analysis. Note: If you attempt to examine the hard drive while the virus is in memory, it will display the original, uninfected version.
Virus Name: Ontario Virus Type: File virus Virus Length: 512 bytes Description: This virus infectes *.COM, *.EXE and overlay files, as well as COMMAND.COM. When an infected file is executed, the virus installs itself into memory. Total available memory will have decreased by 2,048 bytes. The virus will also infect COMMAND.COM, increasing it's size by 512 bytes. Once the virus is memory resident, it will infect files when they are executed. Infected files will increase in size by 512 - 1,023 bytes depending on the type of file.
Virus Name: ONTARI03 Virus Type: Highest Memory Resident, File Infector Virus (infects .COM & .EXE files). Virus Length: 2048 Bytes (COM & EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Infecting Procedure: 1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h. 2) It then executes the original file. 3) Once in resident memory, it will infect any uninfected file that is executed. Damage: None. Detecting Method: Infected files increase by 2048 Bytes. Note: The Ontari03 virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: Oropax Virus Type: File Infector Virus Virus Length: 2756-2800 bytes Executing Procedure: 1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h. 2) It then executes the original file. 3a) Once in resident memory, it will infect any uninfected file that is executed. 3b) It doesn't infect .EXE files. Damage: Infected .COM file sizes increase by 2756-2800 bytes. Detecting Method: 1) Virus will hook the interrupt 20h, 21h, 27h. 2) If the system date is after May 1, 1987 and it is an IBM compatible computer, interrupt 8h will be hooked. 3) When the virus is triggered, it will play the "Stars", "Blue" and "Forty" songs one by one every eight minutes. Note: Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect).
Virus Status:
Origin :
Eff Length : 3500-5500 bytes
Type Code : Polymorphic Virus
Symptoms :
Increase in the size of infected COM and EXE files by 3544 bytes and decrease in available memory by 5120 bytes. Executing programs may slow down due to the infection procedure of the virus.
General Comments:
One-Half is a multipartite, polymorphic virus. It will first infect the boot sector of a hard disk and it will only be memory resident if the hard disk is used for booting. During bootup, it will allocate 5120 bytes of memory and will reside in the High Memory Area. It will then hook INT 21, INT 13, and INT 1C.
All COM and EXE files executed, opened or copied will be infected by the virus and will have an increase in file size by 3544 bytes.
The virus is also capable of hiding itself from anti-virus software. It can also hide the increase in the file size 'cause it adds special codes to check for infected files and modifies their file size when viewed.
One-Half encrypts an area of the hard disk every time it starts up. This means that it slowly encrypts all the data in your hard disk. Though these areas are decrypted back when the virus is memory resident, it is advisable to create a backup copy of important files while the virus is still memory resident. This makes the virus hard to remove because it hides its encryption code encrypted in the Boot Record.
The following messages are found in the decrypted virus code:
"Dis is one half." "Press any key to continue" "Did you Leave the room?"
Virus Name: ONEH3570
Alias: ONE-HALF.3570
Increase in the size of infected COM and EXE files by 3570 bytes and decrease in available memory by 5120 bytes. Executing programs may slow down due to the infection procedure of the virus. Data sometimes turn out as garbage due to the virus encryption.
One-half.3570 is a multipartite, polymorphic virus which is a variant of the one-half.3544. It will first infect the boot sector of a hard disk and it will only be memory resident if the hard disk is used for booting. During bootup, it will allocate 5120 bytes of memory and will reside in the High Memory Area. It will hook INT 21, INT 13, and INT 1C.
The virus is also capable of hiding itself from anti-virus software. It can also hide the increase in the file size by adding special codes to check for infected files and modifying their sizes when viewed.
One-Half encrypts an area of the hard disk every time it starts up. This means that it slowly encrypts all the data in your hard disk. Though these areas are decrypted back when the virus is memory resident, it is advisable to create a backup copy of important files while the virus is still memory resident. This makes one-half hard to remove because it hides its encryption code encrypted in the Boot Record.
"Dis is one half." "Press a key" "Did you leave the room?"
Alias:
Eff Length : 1024 bytes
Type Code :
Increase in size of COM and EXE programs by 1024 bytes and decrease in free memory by 2048 bytes.
On the first infection, this virus will first allocate 2048 bytes in the High Memory Area and then will transfer 1024 bytes of its code to that area. It will then hook INT 21 with infection procedures to services 4B00(Execute Program), 3D02(Open File Handle), 11 & 12 (Find Directory Entries).
This virus will infect all EXE and COM files that are opened, renamed, or executed. It will also hide infected files when viewed or listed using the DIR command.
There seems to be no damage done by the virus other than replicate.