One of the earliest computer viruses to command worldwide attention in the popular press, as well as in the trade and technical press, the LEHIGH VIRUS, also known as the COMMAND.COM virus, was discovered at its institutional namesake in Bethlehem, Pennsylvania. The virus began infecting floppies and hard disks in late November 1987. Common effects of the Lehigh virus ranged from computers failing to boot, hard disk crashes, and making it virtually impossible to obtain a copy of the disk’s directory under its disk operating system (DOS).
The Lehigh virus was installed in the COMMAND.COM system file—an essential component for interpreting the DOS command-line and booting a DOS computer. Stored in the stack space of this system file, its length remained unchanged in spite of the presence of malicious code. In addition, a jump instruction was inserted at the beginning of the system file so that whenever the program was invoked, it would direct certain processes to the embedded virus. This altered version of COMMAND.COM would spread from floppy to floppy, infecting any computer with the misfortune of accessing a compromised disk. Once infected, the Lehigh virus would remain in the computer’s memory.
A Technical Look at the Lehigh Virus
Most disk operating systems use software interrupts to make circuit-level API calls.
21h, which is considered the main API, is often used with assembly commands to directly affect services that control memory allocation, processes, and input and output hardware devices. The Lehigh virus was carried out by intercepting standard DOS commands (like DIR, TYPE, and other frequently used commands) at interrupt 21h, or,
int 21h. This means that it would essentially lay dormant until input from the user—in the form of an execute program or find first file request—was detected. It would then invoke and carry out its malicious tasks.
The COMMAND.COM system file was also used for propagating the Lehigh virus. If the disk being accessed contained a copy of the system file, the virus would simply latch itself to it and increment a counter. From here, implementation depended on the peripheral storage device at play. In a two-floppy disk system, the counter would remain in memory. For hard disks, the counter would be stored therein. When the value of the counter became greater than or equivalent to four (4), the payload or ancillary component of the Lehigh virus would trigger to carry out its most destructive set of tasks.
This secondary phase would make use of absolute disk writing, via interrupt vector 26h, or
int 26h, to write a series of zeroes (0) to the first thirty-two (32) sectors of the parent disk. Overwriting these sectors would inevitably wipe out a disk’s boot tracks and directory tables, thus rendering it useless. For those systems which made use of hard disk drives, this often meant certain hard disk failure.
While the original Lehigh virus barely escaped the confines of its renowned Lehigh University, it is regarded as one of the first forms of school malware to warrant serious attention. There have since been several variants of the virus—mostly revolving around its counter, or, number of infections it takes for the payload to trigger. Others behave comparably to traditional boot sector viruses. The Lehigh-2 virus is a blend of both, maintaining its infection counter in random access memory (RAM) and corrupting the boot sector and file allocation tables (FAT) once the value of the counter becomes equivalent to ten (10).