| Alias: | |
| Strain: | |
| detected when: | November 1987 |
| where: | Lehigh University (Bethlehem/USA) |
| Classification: | System virus (COMMAND.COM), RAM-resident |
| Length: | 555 bytes |
Preconditions | |
| Operating System(s): | |
| Version/Release: | |
| Computer model(s): | All MS-DOS machines |
| Caroname: | Lehigh |
Attributes | |
| Easy identification: | Last two bytes of COMMAND.COM = A9h 65h; text found: ":\command.com". |
Type of Infection: | COMMAND.COM only (stack space at end of file overwritten); RAM resident (no check if RAM infected before). |
| Infection Technique: | |
| Infection Trigger: | Uninfected COMMAND.COM in the root directory of used or current drive (checked by INT 21h) |
| Storage Media affected: | |
| Interrupts hooked: | INT 21h; INT 44h (Set as old INT 21h). |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | If A: or B: selected (if it is not the current drive), then sector 1 to 32 are overwritten with garbage read from BIOS and print-text (also from BIOS). |
| Damage Trigger: | Infection counter = 4 |
| Particularities: | Not hardware-dependent: INT 21h, 26h used only |
| Similarities: | --- |
Agents | |
| Countermeasures: | Several antiviruses (McAfee, Solomon, Skulason et.al.) successfully detect and eradicate this virus. |
| Standard means: | --- |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Daniel Loeffler (disassembly by Joe Hirst) |
| Documentation by: | Daniel Loeffler |
| Date: | June 30, 1990 |
| Information Source: | --- |
(c) 1996 Virus-Test-Center, University of Hamburg