| Alias: | RIPPER |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | Master-boot record (HD) infector, DBR (Floppy)- infector, re |
| Length: | 2 kilobyte(s) |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | All models |
| Computer model(s): | PC's |
| Caroname: | Ripper |
Attributes | |
| Easy identification: | |
Type of Infection: | Bootsector infection. Selfrec in memory: (Seg(INT 13 vector):00E2h ... Seg(INT 13 vector):0122h) ==(Seg(virus):00E2h ... Seg(virus):0122h) Selfrec on disk: (Seg(ReadBuffer):00E2h ... Seg(ReadBuffer):0122h) ==(Seg(virus):00E2h ... Seg(virus):0122h) |
| Infection Technique: | |
| Infection Trigger: | Floppies: (INT 13/AH=02, INT 13/AH=03) and(drive changed or more than 2 secs ago sincelast access)Hard disk: Boot from infected floppy |
| Storage Media affected: | Harddisks, Disketts |
| Interrupts hooked: | 13/AH=02 13/AH=03 |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | - |
| Encoding Method: | |
| Damage: | Transient: - Permanent: On floppy disks data will be lost if entries in the lasttwo sectors of the root directory are used.Swap's randomly choosen word with following word inwrite buffer (probability 1-in-1024). |
| Damage Trigger: | Transient: - Permanent: INT 13/AH=03 and System tick count 0040:006Ch AND 3FFh = 0 |
| Particularities: | The virus resides at the top of memory, reducing the BIOS memory size at 0000:0413. Not displayed text: "FUCK 'EM UP !""(C)1992 Jack Ripper" |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | BSI (GISA) / V2, Hubert Schmitz |
| Documentation by: | BSI (GISA) / V2, Hubert Schmitz |
| Date: | 1995-08-09 |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg