Information about VIRLAB 1.4
1. What is VIRLAB?
2. Hardware-preconditions for VIRLAB
3. Installation and Start
4. User interface of VIRLAB
5. DOS commands
6. Executable Programs
7. Simulated Virus Types
8. The Screen
9. Main Menu
14.Conditions of Use
1. What is VIRLAB?
VIRLAB is a program for the simulation of the spreading of DOS-
computer viruses and their prevention. VIRLAB will thereby allow
free, riskless experimenting, rather than following any fixed
teaching strategy. With a basic knowledge about computer viruses
the effects of viral infections during various stages can be
studied without dealing with real viruses. This provides students
in computer security classes etc. with a hands-on experience without
getting in touch with actual viral code.
The program simulates an IBM-compatible personal computer under
MS-DOS, version 3.2 which contains both a floppy disk drive and a hard
disk drive. In the simulation environment you can select one virus out
of a database with more than 300 currently known computer viruses and
infect a disk with it. As the work with this disk continues, the
virus will become active and start spreading. As a general rule, this
would happen unnoticed by the user during the execution of DOS-commands or
user programs. VIRLAB will make these viral activities visible in various
- infected disks will be shown in red
- each action of the virus will be announced if the trace mode is switched on
- you can display information about the exact content of a disk or the
main memory in an info-window. Thus, you can find out where
the virus has already installed itself
Furthermore, VIRLAB will give help dependign on the situation as to how
you can remove the virus from the system. Nota bene: To our best knowledge
these hints will remove viruses completely from your system in the
your computer is actually infected. However, in case of a real viral
infection even with good scanning programs it is not always possible to
precisely identify a virus. Your PC could be the victim of a new variant
(a new kind of virus) with unpredictable features.
>>> Thus in case of an actual infection of your system it is not <<<
>>> advisable to only adhere to the given hints without checking <<<
>>> the effectiveness of the proposed countermeasures. <<<
Of course the given hints will be sufficient during a VIRLAB session.
!!! What VIRLAB is NOT:
!!! - VIRLAB is NOT a virus construction kit
!!! - VIRLAB does NOT scan your files for viruses or prevent viral attacks
!!! - VIRLAB does NOT modify your files
!!! - VIRLAB does NOT use any viral code or viral scan strings.
!!! If your scan program reports infections while scanning
!!! VIRLAB files, this probably means that these files are infected
!!! by a real computer virus.
2. Hardware Preconditions for VIRLAB
For experimentation with VIRLAB, you will need an IBM-compatible
PC with operating systems MS-DOS or PC-DOS, an EGA or VGA graphic
card and a mouse.
3. Installation and Start
VIRLAB needs the following files for running:
VIRLAB.EXE: main program
VIRUS.PIC: representation of the icons
text files for help and information
(plain text, but used by VIRLAB)
VIRLIST.TXT: virus data base (copyright by McAfee Associates).
VIRLAB is always distributed with the latest version of McAfee's file
(currently V84), but you can exchange this file with any more recent
version that you get hold of as long as the the format hasn't changed.
EGAVGA.BGI, LITT.CHR: graphic and text fonts
These files must all be in the same directory. Make this directory the
current directory before starting VIRLAB.
Customization of VIRLAB:
You can use a parameter for selecting your favored floppy representation.
The simulation supports not only floppies of 5" but also of 3" (this
difference is crucial for users because setting and removal of write
protections is different in these cases).
In addition you can include some more (up to 9) viruses in the Examples menu
for easy selection. You achieve this by adding their abbreviations (refer to
string in brackets in VIRLIST.TXT) to your call of VIRLAB.
Call Simulation with ... Additional viruses in Examples Menu
VIRLAB ... 5" floppies
VIRLAB /3 ... 3" floppies
VIRLAB /3 Doodle ... 3" floppies Yankee Doodle
After starting the program, you will see the user interface including
main menu, the simulated computer and the icons for the virus and five
floppy disks. On the lower part of the screen, to the right, a
help-window will appear, which gives you help on how to use the
program. To the left of this window, there is room for another one,
the info-window. Information on the virus, necessary actions for
desinfection, the main memory or on the current content of the
storing media can be obtained here.
4. User Interface of VIRLAB
The input will appear on the simulated screen. You can use the function
keys F1 and F3 for stepwise or complete insertion of the previous command.
With the right mouse button
- you can select one item of the main menu,
- you can move both the disks and the virus,
- you can turn the pages of info- and help-windows and close them.
With the left mouse button
- you can activate the help window.
- you can toggle floppy disks' write protection (click into the upper right
Actions can be executed with the mouse any time, provided the DOS
prompt is visible, i.e. even during command input; while programs run,
however, mouse actions are not always possible.
Calling the main menu:
Click onto the menu bar with the left mouse button. A window with
several items will appear.
Choose an item or another menu item by clicking onto it with the left
mouse button or by using the cursor displacement keys. You can
accept the current item by pressing the 'Enter' key.
Cancel by clicking with the left mouse button or with 'ESC' beside the
window containing the items.
Moving of disk or virus icons:
Click onto the icon with the left mouse button and move the mouse to
the desired position keeping the mouse button down.
There are only two possible positions respectively for the disks:
- The disk is inserted. It is on the computer covering drive A.
- The disk is 'stowed away'. It is at its original position near the
edge of the screen to the right.
Turning the pages of info and help windows:
Turning up: Click onto 'U' with the left mouse button
Turning down: Click onto 'D' with the left mouse button
Closing: Click onto 'X' with the left mouse button.
Calling the help window with the right mouse button:
Click onto a symbol for which you need help (computer, virus, disk
etc.) with the right mouse button. The respective page will appear in
5. DOS Commands
The following simulated DOS commands are available for handling the
- CD: change directory
(example: CD USER; CD ...)
- MD: make directory
(example: MD NEWDIR; MD \USER\USER1)
- RD: remove directory (only if directory is empty)
(example: RD A:\OLDDIR)
- DIR: listing of content of current directory
(example: DIR \USER\*.COM)
- COPY: copy files
(example: COPY *.COM A:; COPY A:*.*)
- DEL/ERASE: delete files
(example: DEL FILE1.DAT; DEL\USER\*.COM)
- REN/RENAME: rename files
(example: REN FILE1.DAT FILE1A.DAT)
- DATE: read/change current date
- TIME: read/change current system time
- CLS: clear screen
- VER: give DOS version
- FORMAT: disk formatting
(parameter: s: transfer system files,
v: defines label)
(example: FORMAT A: /s /v)
- ATTRIB: read/change file attributes
only one valid parameter: R (Read Only)
(example: ATTRIB *.*; ATTRIB +R FILE1.DAT)
- SYS: transfer system files
6. Executable Programs
The following executable programs are available on the simulated
- SPIEL (a game)
- UHR (displays current time)
- RECHNER (calculator for basic arithmetic operations)
- SONG (a children's melody)
- COUNTER (counts to 50)
In addition, there are some dummy programs which can be called in
the same way as the above programs. However, they do not execute any
functions. They have specific file legnths that can easily be remembered
and thus can serve as indicators for viral infection.
The initial file configuration of the floppy disks is as follows:
Floppy 1: write-protected DOS disk, bootable, containing all system commands
Floppy 2: bootable DOS disk
Floppy 3: non-bootable disk containing the 5 executable programs
Floppy 4: empty (formatted, non-bootable).
Floppy 5: empty (formatted, non-bootable).
7. Simulated Virus Types
Basically VIRLAB simulates three different types of computer viruses:
boot sector viruses, link (or program) viruses (where the viral code
is stored in *.COM, *.EXE or overlay files) and "directory" viruses
(affecting directory entries. This new virus type is represented in VIRLAB
only by one instance. It is usually called "Dir II" virus. However, in this
database it's name is Dir-2/FAT and it's abbreviation is D-2. It is included
in the Virus/Examples menue).
In principle, these viruses may or may not stay resident in memory after
execution of their code (TSR: "terminate and stay resident"). As for the
possible damage functions, VIRLAB distinguishes between "harmful" and
"harmless" viruses: Harmful viruses will format the simulated (!) hard
disk when a trigger condition is met (date is April 1st or Friday 13th).
The damage function of the harmless virus type will be triggered by the
number of successful infections: After 3 infections an annoying input
request or a silly output will be displayed.
Since the removal of any TSR virus from the memory during a warm
boot (reset of computer) is not guaranteed, all TSR viruses
survive a warm boot (equivalent to pressing Alt-Ctrl-Del) during a
8. The Screen
- will be available through clicking onto the menu bar with the left
- is the output screen of the simulated computer.
- simulates the computer with drive information for floppy disk and
hard disk drives. Each access to a drive is accompanied by a typical
- Insert a floppy by moving the floppy icon with the mouse onto the
- Remove a floppy by moving the floppy icon out of the computer. The
floppy will then automatically be moved to its proper place at the
edge of the screen to the right.
- If a virus has been chosen in the main menu, the virus icon will get
a label with the abbreviation of the virus name.
- Infect a floppy by moving the virus icon with the left mouse button
to the respective floppy disk.
- There are 5 floppies available (numbered 1 to 5). If the virus
symbol has been moved to a floppy (-> infection), a choice menu with
all infectable files will appear.
- shows the actual content of either a floppy, or the hard disk, or the
main memory or the characteristics of the virus or a situation-related
instruction how to remove the virus from the simulated system.
- gives help on how to handle the program.
9. Main Menu
- about VIRLAB: information on VIRLAB
- New Start (of the program):
Both the floppies and the hard disk will be reset to their original state
(viruses will be removed from the floppies, changes in the content of
the floppies will be undone), and a cold boot will be executed.
- Quit: exit the program.
- On: switching the simulated computer on
- Off: switching the simulated computer off
(The current state will be marked by '>').
- Cold Boot: simulation of a booting after pressing reset
(same as switching 'Off' and 'On' subsequently)
- Warm Boot: simulation of booting after pressing Alt-Ctrl-Del.
Dependant on the choice of sub-items, you will get a list containing
all viruses with a certain property. You can choose one virus out of
this list. That virus will then be assigned to the virus icon.
You cannot simulate more than one virus at a time! As soon as you
choose a new virus, the old one will be completely removed from the
system, i.e., infected files and boot sectors will be clean again.
(Unlike 'VIRLAB/NewStart', the file structure does not change!)
If a virus choice is interrupted, the virus will be deleted.
There are the following sub-menues:
- Examples: some common viruses which have been grouped here for
+ Vienna: a link virus.
Not resident - a good choice for getting acquainted with VIRLAB.
+ Cascade/1704/Black Jack: a link-virus, stays also resident.
Unfortunately, the screen effects will not be simulated ...
+ Stoned: a boot sector virus also staying resident.
Can infect non-bootable disks, too.
+ 4096: a stealth virus.
Please note the unchanged file length reported by DIR (even after
infection) when the virus is present in the main memory
+ Brain: a boot sector virus also staying resident.
Interesting for historical reasons (first well-known virus).
+ Jerusalem: a well-known program virus with many variants.
+ Dir II (called Dir-2/FAT in McAfee's database)
A "directory virus" manipulating the directory so that entries for
infected files point to the viral code. The virus itself will reside
in the last (or last minus one) cluster of the infected disk. The virus
spreads by infecting all executable files in the current directory and
"above" (parent directories). If the virus is resident in memory the
correct file length of all executable files will be displayed. Otherwise
the DIR command will display the length of the viral code. In this case
execution of a programs just returns to the DOS prompt without any
effect other than activating the virus.
- COM: all viruses infecting COM files will be listed.
- EXE: all viruses infecting EXE files will be listed.
- Overlay: all viruses infecting OVERLAY files will be listed.
- Command.Com: all viruses infecting COMMAND.COM-files will be
- Boot Sector: all viruses infecting the boot sector of a floppy disk
or hard disk will be listed.
- Resident: all memory resident viruses (TSR viruses) will be listed.
- Stealth: all stealth viruses will be listed.
- Encryption: all viruses using self-encryption techniques will
- All: all viruses of the virus database will be listed.
- On: any viral activity will be announced in a popup window. Close
this window by pressing the ENTER key or clicking the left mouse
button in the window.
- Off: no messages displayed (for VIRLAB-users wishing to work as
- Virus: features, damage functions, anti-virus program for removal,
and induced file size increase of the chosen virus will be shown. If
there is no current virus, the window shows the characteristics and
damage functions viruses generally have.
- Disinfection: situation-related help as to how the virus can be
removed from the simulated system. If there is no current virus or if
the system is still "clean", common advice on how to protect your PC
against viruses, as well as how to react in cases of viral infection,
will be given.
- RAM: the content of the main memory will be shown.
- Hard Disk: the content of the hard disk will be listed including file
sizes and whether the displayed files are infected.
- Floppy Disk 1-5: analoguous to hard disk.
- general: information on both program and screen symbols.
- DOS commands: list of available DOS commands.
- Menu: information on the main menu.
- computer: information on the computer symbol.
- virus: information on the virus icon.
- floppy disks: information on the disk icons.
- info-window: information on the info-window.
If the help-window is already open, choosing these menu items
directly gets you to the related subjects; you can, however, get them
by turning the pages in the window as well (click onto 'U' or 'D').
Major Changes in version 1.4:
- "Directory" (Cluster) Viruses are simulated (until now only Dir II)
- file VPROTECT.TXT is obsolete
- read only files (c.f. ATTRIB command) will be infected by viruses
(just as in real life ...)
Major Changes in version 1.3:
- Movement of virus icon restricted to floppy disks
- file VIR.MSK included in VIRUS.PIC
- bugs removed (missing update about write protection in open info window;
problems after VIRLAB/New Start)
Major Changes in version 1.2:
- English version available
- simulation of 3" floppies possible (Call with VIRLAB /3)
- the files BILDO.PIC, BILDU.PIC and DISKn.PIC are obsolete
- the DOS commands DATE and TIME do not affect the real computer settings
any more (only the simulated date and time)
- the hard disk is represented on the screen more explicitly
- the number of currently simulated viruses is shown (menu VIRLAB/about ...)
- the number of variants of the chosen virus appears in the info-window
- virus names are displayed in alphabetical order in the menu
- *.BAT files are recognized as executable files
- F1 and F3 keys are operational
- user-added selection of viruses in Example Menu (Call with
- The semantics of a file is not lost when copying or renaming a file
Major Changes in version 1.1:
- menu point virus/examples has been added
- viruses named partition-table-viruses in McAfee's database can
now infect the hard disk, too
- infection attempts of the viruses are more regular now, with
resident viruses they occur each time you call the
- after loading the infected COMMAND.COM-file, any calling of the
command-interpreter will initiate an infection attempt,
- use of an infected COMMAND.COM in the main memory is reported in the
11. Known Bugs:
- viruses labelled non-COMMAND.COM-infecting can still infect the file.
- wildcards can only be used in the form *.xxx or xxxxxxxx.*, but not
12. Envisioned Extensions:
- more precise modelling of those viruses now called boot sector viruses
- modelling of anti-virus software
- reworking of info texts and trace texts, explanation facility (due May 92)
We hereby gratefully acknowledge the permission to use the file VIRLIST.TXT
(Copyright by McAfee Associates)
Special thanks for bug reports and valuable suggestions to Evelyn Pfeuffer,
Gnter Mutopf, Vesselin Bontchev.
14. Conditions of Use
VIRLAB was developed at the Institut fuer Informatik of the Technical
University of Munich (Germany) in the course of general student education.
This software is in the public domain. Program and files can be freely
distributed and used in this configuration. You will find the actual version
on gsradig1.informatik.tu-muenchen.de in the directory pub/VIRLAB.
(NOTA BENE: Copyright for the file VIRLIST.TXT is by McAfee Associates).
Distribution of VIRLAB must be free of charge (except for a reasonable fee
for floppy discs etc.)
Institut fr Informatik
8000 Mnchen 40
e-mail: [email protected]
This software was carefully implemented to comply with its specification, but:
we will not be liable for any damages arising out of the use of this software.