Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Deadbabe


Aliases:


Deadbabe
SC.Replicator

Malware
Virus
W32

Summary

This virus was found in the wild in Denmark in February 1997.

It stays resident in memory and infects all EXE files that are executed. The virus does not activate in any way.

The virus contains this text string:

SC.Replicator

The virus is named after it's "are-you-there" call: it calls INT 6Bh with hex value BABE and expects to find the return value DEAD.

Deadbabe will reinfect infected files. As a result your files can have dozens of infections and they will be several kilobytes larger.

F-Secure anti-virus products will disinfect Deadbabe fine, but because of a bug in the virus, the disinfected files will sometimes be longer than the original. This extra area might also contain pieces of the virus, which could cause false alarms. If you encounter problems like this, delete the files and reinstall or restore them.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.







Technical Details: Mikko Hypponen & Peter Szor, F-Secure, 1997



Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.