Threat Description



Aliases: Deadbabe, SC.Replicator
Category: Malware
Type: Virus
Platform: W32


This virus was found in the wild in Denmark in February 1997.

It stays resident in memory and infects all EXE files that are executed. The virus does not activate in any way.

The virus contains this text string:


The virus is named after it's "are-you-there" call: it calls INT 6Bh with hex value BABE and expects to find the return value DEAD.

Deadbabe will reinfect infected files. As a result your files can have dozens of infections and they will be several kilobytes larger.

F-Secure anti-virus products will disinfect Deadbabe fine, but because of a bug in the virus, the disinfected files will sometimes be longer than the original. This extra area might also contain pieces of the virus, which could cause false alarms. If you encounter problems like this, delete the files and reinstall or restore them.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.


Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Technical Details:Mikko Hypponen & Peter Szor, F-Secure, 1997


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More