Virus:Boot/Ripper infects floppy disk boot records and hard disk Master Boot Records (MBRs). The virus is encrypted with a variable key, which is quite rare among boot sector viruses.



F-PROT for DOS v3.0, 3.01, 3.02 and 3.03 have a bug which causes the disinfection of Ripper to fail. This might cause a machine to become unbootable. Do not use these versions of F-PROT to disinfect this virus; contact Support instead.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Ripper contains two encrypted strings:

  • "FUCK 'EM UP"
  • "(C)1992 Jack Ripper"

Ripper was found in November 1993 from Norway. However, it is believed to be of Bulgarian origin.


The virus will only infect hard drives when an attempt to boot from an infected diskette is made. Once the virus has infected the hard drive, all non-protected floppies used in the machine will be infected.

Ripper is two sectors long, and it stores the original boot sector to the last sector of the root directory. It also reserves one sector before that for its own code.


Ripper has stealth capabilities; the virus code cannot be seen in boot records while the virus is active in memory.

Ripper contains a destructive activation routine. It corrupts disk writes by random - approximately one disk write in 1000 is corrupted. The virus will swap two words in the write buffer, causing slow and in some cases difficult-to-notice corruption on the hard disk.

Date Created: -

Date Last Modified: -