Threat Description

Virus:​Boot/Ripper

Details

Aliases:Jack the Ripper
Category:Malware
Type:Virus
Platform:Boot

Summary



A program that secretly and maliciously integrates itself into program or data files. It spreads by integrating itself into more files each time the host program is run.



Removal



Note

F-PROT for DOS v3.0, 3.01, 3.02 and 3.03 have a bug which causes the disinfection of Ripper to fail. This might cause a machine to become unbootable. Do not use these versions of F-PROT to disinfect this virus; contact Support instead.



Technical Details



Virus:Boot/Ripper infects floppy disk boot records and hard disk Master Boot Records (MBRs). The virus is encrypted with a variable key, which is quite rare among boot sector viruses.

Ripper contains two encrypted strings:

  • "FUCK 'EM UP"
  • "(C)1992 Jack Ripper"

Ripper was found in November 1993 from Norway. However, it is believed to be of Bulgarian origin.

Infection

The virus will only infect hard drives when an attempt to boot from an infected diskette is made. Once the virus has infected the hard drive, all non-protected floppies used in the machine will be infected.

Ripper is two sectors long, and it stores the original boot sector to the last sector of the root directory. It also reserves one sector before that for its own code.

Activity

Ripper has stealth capabilities; the virus code cannot be seen in boot records while the virus is active in memory.

Ripper contains a destructive activation routine. It corrupts disk writes by random - approximately one disk write in 1000 is corrupted. The virus will swap two words in the write buffer, causing slow and in some cases difficult-to-notice corruption on the hard disk.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More