|Place of Origin||Bethlehem, PA, USA|
|Infection Length||555 bytes|
Lehigh is an early DOS virus that infects only COMMAND.COM. While it is a file virus, the fact that it only infects one particular file on each disk causes it to behave in a way similar to a boot sector virus.
When a disk with an infected COMMAND.COM file is accessed, Lehigh installs itself in memory. Lehigh searches for a COMMAND.COM on other available disks. As a cavity infector, the virus fills an unused portion of the of the host file's code in its stack space, causing no increase in the host's size. It can infect another COMMAND.COM file if a DOS disk is inserted while the virus is in memory.
Lehigh keeps an infection count in its body. After 4 infections, the virus may overwrite the boot sector and file allocation table.
A few variants of this virus exist. Most of them only differ in the number of infections before the payload is triggered.
Ken Van Wyk created some hype over the virus, but there is no evidence that it spread much beyond Lehigh University. Van Wyk would later start the VIRUS-L Usenet group.
A simple way to prevent the virus is to make COMMAND.COM a read-only file.
A virus named Diogenes contains a message saying "another fine product of the Lehigh Valley", possibly a reference to this virus.
Lehigh was named after Lehigh University, where it was first found. Today, this is in violation of the CARO naming scheme, but this virus predates that scheme by a few years.
- Avast: Lehigh
- Avira: Lehigh #1 virus
- Bitdefender: Virus.Lehigh
- ClamAV: Lehigh.1
- F-Secure: Virus.DOS.Lehigh [AVP]
- Kaspersky: Virus.DOS.Lehigh
- McAfee: Lehigh.dr
- Symantec: Lehigh
- Trend Micro: LEHIGH.DR
Peter Szor. The Art of Computer Virus Research and Defense, Chapter 3, Section 5.1, pp. 137, 198. Addison-Wesley, Pearson Education, Symantec Press; Upper Saddle River, New Jersey: 2005. ISBN: 0321304543
McAfee Antivirus, Lehigh
Computer Break, Computer Sickness Reported - User Vigilance Required. 1988.01.15 (OWWCD)