The Virus: DEADBABE.SC.Replicator
(In Memory to Peter Szor)

DEADBABE is a Malicious Virus (Win32) whos first appearence was catched "in the Wild" 2007 in Denmark.

It stays resident in memory and infects all EXE files that are executed. The virus does not activate in any way. It  is named after it's "are-you-there" call: it calls INT 6Bh with hex value BABE and expects to find the return value DEAD. Deadbabe will reinfect already infected files. As a result your files can have dozens of infections and they will be several kilobytes larger after the reinfection(s). An Intersting Virus (1989) Article in connection to INT 6Bh called  "Saddam Virus" can be read here.

According to F-Secure its anti-virus products will disinfect DEADBABE, but because of a bug in the virus, the disinfected file(s) will sometimes be longer than the original. This extra area might also contain pieces of the virus, which could cause false alarms or Type I errors (F/P). If encountering problems like this, you should delete these files and reinstall, restore or (in case you do not need them anymore (except for OS-Files) simply delete them.

A Notable magic number from this Malware is: 0xDEADBABE ("Dead Babe") is used by IBM Jikes RVM as a sanity check of the stack of the primary thread.

Some other Variant of This Malware is: Deadbabe.494.B which Threat Level is kindly Low on the affected Platform MS-DOS. It carries out damaging actions on the affected computer. It does not spread automatically using its own means. This Variant 494.B was detected exactly on this day eleven years ago (13/11/2002).

Brief Description:

Deadbabe.494.B needs an attacking user's intervention in order to reach the affected System. The means of transmission used include, among others, floppy disks (Old days), CD-ROMs (DVDs), E-mail messages with attached files, Internet downloads, FTPs (File Transfer Protocol), IRC channels, peer-to-peer (P2P) file sharing networks and more. Deadbabe.494.B uses the following infection strategies:

- Once it has been run, the virus goes memory resident and stops functions belonging to the operating system (OS). Therefore, every time the operating system or an application tries to access any of these functions, the virus will activate and infect new files. The Malicious Code is written in the programming language Assembler x86-16 bit.

NOTE: If you think your PC is infected with this Virus visit Pandasecurity, take a download and follow the mentioned step by step instructions.

DEADBABE is also committed to HPS, a polymorphic Windows 95 virus which contains this sarcastic text:

"< Hantavirus Pulmonary Syndrome (HPS) Virus BioCoded by GriYo / 29A >"

Technical Details of HPS:

It stays active in memory and infects Win32 EXE files as they are accessed, encrypting its own code with variable polymorphic encryption layer.

HPS activates itself on Saturdays. If a non-compressed Windows bitmap (BMP) file has been opened, the virus horizontally flips the picture.

HPS patches the value DEADBABE (in hex) to the end of the bitmap header area to avoid flipping the same image again. Since non-compressed bitmap files are frequently used by Windows 95 and 98, this causes all kinds of weird effects - such as the start-up and power-down screen of Windows being "mirrorized" (See Image).


Responsible for the Technical Details of this Threat is Mikko Hypponen & Peter Szor, F-Secure, 1997

In Memory of Peter Szor
(by McAfee Labs)

Keine Kommentare:

Kommentar veröffentlichen