NOTE: F-PROT for DOS v3.0, 3.01, 3.02 and 3.03 have a bug which causes
the disinfection of Ripper to fail. This might cause a machine to
become unbootable. Do not use these versions of F-PROT to disinfect
this virus. Contact support instead.
The Ripper virus was found in November 1993 from Norway. However,
it is believed to be of Bulgarian origin. Ripper infects floppy boot
records and hard disk master boot records.
The virus will only infect hard drives when an attempt to boot from an
infected diskette is made. Once the virus has infected the hard drive,
all non-protected floppies used in the machine will be infected.
Ripper virus is two sectors long, and it stores the original boot
sector to the last sector of the root directory, and also reserves one
sector before that for its own code.
The virus is encrypted with a variable key. Encryption is quite rare
among boot sector viruses. It is also a stealth virus, and the virus
code cannot be seen in boot records while the virus is active in
memory.
Ripper virus contains two encrypted strings: "FUCK 'EM UP" and
"(C)1992 Jack Ripper".
Ripper contains a destructive activation routine. It corrupts disk
writes by random - approximately one disk write in 1000 is corrupted.
The virus will swap two words in the write buffer, causing slow and in
some cases difficult-to-notice corruption on the hard disk.
![](/images/pixel.gif"){kind=tracking}
