FRISK Software International

Summary of Ripper
Alias:Jack the Ripper
Infectable objects: Foppy boot records and hard disk master boot records.
Discovered: 1 Nov 1993
Jump to:
Brief description
Technical description

Brief Description
NOTE: F-PROT for DOS v3.0, 3.01, 3.02 and 3.03 have a bug which causes the disinfection of Ripper to fail. This might cause a machine to become unbootable. Do not use these versions of F-PROT to disinfect this virus. Contact support instead.

The Ripper virus was found in November 1993 from Norway. However, it is believed to be of Bulgarian origin. Ripper infects floppy boot records and hard disk master boot records.

Technical Description
The virus will only infect hard drives when an attempt to boot from an infected diskette is made. Once the virus has infected the hard drive, all non-protected floppies used in the machine will be infected.

Ripper virus is two sectors long, and it stores the original boot sector to the last sector of the root directory, and also reserves one sector before that for its own code.

The virus is encrypted with a variable key. Encryption is quite rare among boot sector viruses. It is also a stealth virus, and the virus code cannot be seen in boot records while the virus is active in memory.

Ripper virus contains two encrypted strings: "FUCK 'EM UP" and "(C)1992 Jack Ripper".

Ripper contains a destructive activation routine. It corrupts disk writes by random - approximately one disk write in 1000 is corrupted. The virus will swap two words in the write buffer, causing slow and in some cases difficult-to-notice corruption on the hard disk.

[Analysis: Mikko Hypponen, F-Secure]

Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:


perComp Verlag
(in German)