Home > Threat descriptions >

Virus:Boot/Ripper

Classification

Category: Malware

Type: Virus

Platform: Boot

Aliases: Virus:Boot/Ripper

Summary


Virus:Boot/Ripper infects floppy disk boot records and hard disk Master Boot Records (MBRs). The virus is encrypted with a variable key, which is quite rare among boot sector viruses.

Removal


Note

F-PROT for DOS v3.0, 3.01, 3.02 and 3.03 have a bug which causes the disinfection of Ripper to fail. This might cause a machine to become unbootable. Do not use these versions of F-PROT to disinfect this virus; contact Support instead.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


Ripper contains two encrypted strings:

  • "FUCK 'EM UP"
  • "(C)1992 Jack Ripper"

Ripper was found in November 1993 from Norway. However, it is believed to be of Bulgarian origin.

Infection

The virus will only infect hard drives when an attempt to boot from an infected diskette is made. Once the virus has infected the hard drive, all non-protected floppies used in the machine will be infected.

Ripper is two sectors long, and it stores the original boot sector to the last sector of the root directory. It also reserves one sector before that for its own code.

Activity

Ripper has stealth capabilities; the virus code cannot be seen in boot records while the virus is active in memory.

Ripper contains a destructive activation routine. It corrupts disk writes by random - approximately one disk write in 1000 is corrupted. The virus will swap two words in the write buffer, causing slow and in some cases difficult-to-notice corruption on the hard disk.