This virus was found in the wild in Denmark in February 1997.
It stays resident in memory and infects all EXE files that are
executed. The virus does not activate in any way.
The virus contains this text string:
SC.Replicator
The virus is named after it's "are-you-there" call: it calls INT 6Bh
with hex value BABE and expects to find the return value DEAD.
Deadbabe will reinfect infected files. As a result your files can have
dozens of infections and they will be several kilobytes larger.
F-Secure anti-virus products will disinfect Deadbabe fine, but
because of a bug in the virus, the disinfected files will sometimes
be longer than the original. This extra area might also contain
pieces of the virus, which could cause false alarms. If you encounter
problems like this, delete the files and reinstall or restore them.
[Analysis: Mikko Hypponen & Peter Szor, F-Secure, 1997]
![](/images/pixel.gif"){kind=tracking}
