Virus:Boot/Ripper

Classification

Malware

Virus

Boot

Virus:Boot/Ripper

Summary

Virus:Boot/Ripper infects floppy disk boot records and hard disk Master Boot Records (MBRs). The virus is encrypted with a variable key, which is quite rare among boot sector viruses.

Note

F-PROT for DOS v3.0, 3.01, 3.02 and 3.03 have a bug which causes the disinfection of Ripper to fail. This might cause a machine to become unbootable. Do not use these versions of F-PROT to disinfect this virus; contact Support instead.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

For more Support

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Ripper contains two encrypted strings:

  • "FUCK 'EM UP"
  • "(C)1992 Jack Ripper"

Ripper was found in November 1993 from Norway. However, it is believed to be of Bulgarian origin.

Infection

The virus will only infect hard drives when an attempt to boot from an infected diskette is made. Once the virus has infected the hard drive, all non-protected floppies used in the machine will be infected.

Ripper is two sectors long, and it stores the original boot sector to the last sector of the root directory. It also reserves one sector before that for its own code.

Activity

Ripper has stealth capabilities; the virus code cannot be seen in boot records while the virus is active in memory.

Ripper contains a destructive activation routine. It corrupts disk writes by random - approximately one disk write in 1000 is corrupted. The virus will swap two words in the write buffer, causing slow and in some cases difficult-to-notice corruption on the hard disk.