Ripper Virus


 Virus Name:  Ripper 
 Aliases: 
 V Status:    Common 
 Discovery:   November, 1993 
 Isolated:    April, 1995 (United States) 
 Symptoms:    BSC; Master Boot Sector altered; disk corruption; 
              decrease in total system & available free memory 
 Origin:      Norway 
 Eff Length:  N/A 
 Type Code:   PRhXB - Resident Boot Sector & MBR Infector 
 Detection Method:  F-Prot, ViruScan, AVTK, ChAV, 
                    IBMAV, NAV, Sweep, NAVDX, VAlert, PCScan 
 Removal Instructions:  F-Prot, or F-Disk /MBR on Hard Disk, DOS SYS 
              on system diskettes 
 General Comments: 
       The Ripper virus was first reported in November, 1993 from Norway, 
       and shortly later from England.  Many reports of this virus were 
       also received from sites in the United States during 1994.  The 
       sample analyzed here was isolated in April, 1995 and is from the 
       United States.  Ripper is a memory resident stealth virus which 
       infects diskette boot sectors and the system hard disk master 
       boot sector.  It is a destructive virus. 
 
       Systems become infected with the Ripper virus when they are booted 
       or attempted to be booted from an infected diskette.  At this time, 
       the Ripper virus will become memory resident at the top of system 
       memory but below the 640K DOS boundary.  Total system and available 
       free memory, as indicated by the DOS CHKDSK program, will have 
       decreased by 2,048 bytes.  Also at this time, the Ripper virus will 
       infect the system hard disk master boot sector if it was not 
       previously infected.  If the diskette was a system diskette, then 
       the boot will proceed, if not, then the user will be prompted for 
       a system diskette.  Once the system hard disk master boot sector has 
       been infected with the Ripper virus, the virus will become memory 
       resident when the system is booted from the system hard disk. 
 
       Once the Ripper virus is memory resident, it will infect any non- 
       write protected diskette which is accessed on the system.  When the 
       Ripper virus infects diskettes, it copies the original boot sector 
       to the last sector of the root directory.  On 5.25 inch double 
       density diskettes, this will be sector 11.  On 5.25 inch high density 
       diskettes, it is sector 17.  The Ripper viral code is two sectors 
       long, the first sector overwriting the original boot sector of the 
       diskette, and the second sector being written to the sector before 
       the last sector of the disk's root directory.  No text strings are 
       visible within the viral code as the Ripper virus is an encrypted 
       virus.  The following two text strings are encrypted within the 
       viral code: 
 
               "FUCK 'EM UP" 
               "(C)1992 Jack Ripper" 
 
       Ripper is a stealth virus, the virus preventing a read of the viral 
       code on the system hard disk and on diskette boot sectors when it 
       is memory resident.  When a program attempts to read either a diskette 
       boot sector or the system hard disk master boot sector, the virus 
       will display the original boot sector or master boot sector.  As 
       such, anti-viral programs cannot detect it on disk when the virus 
       is memory resident.  If a Ripper viral infection is suspected, the 
       system should be cold booted from a known uninfected, write 
       protected system diskette and then checked.  If a viral infection 
       is found, the user should then proceed with disinfection and also 
       check any non-write protected diskettes which have been accessed 
       on the system. 
 
       The Ripper virus is destructive, occassionally swapping two words in 
       the DOS write buffer, resulting in a slow and not too easily detected 
       corruption of disks.  The corruption in the write buffer occurs on 
       a random basis of approximately 1 write in a 1,000.

Show viruses from discovered during that infect .

Main Page