051195 11:57:29am Checking Read request. Please wait ... The Ansi Bomb FAQ v0.4 by Jason L

*--*  05-11-95  -  11:57:29am  *--*

Checking Read request.  Please wait ...
The Ansi Bomb FAQ v0.4
by Jason Livingston, Sysop of Farpoint BBS (301)-593-4629
Internet:Jason-L@access.digex.net

Table of Contents
[1] What is an Ansi Bomb?
[2] How do Ansi Bombs work?
[3] How do I make an Ansi Bomb?
[4] How do I implement an Ansi Bomb?
[5] How do I protect myself from Ansi Bombs?
[6] Document Revision

1. What is an Ansi Bomb?

      Hackers have always looked for better, faster, and easier ways to
      distribute virii. An "Ansi Bomb" is extremely easy to create,
      powerful, and easy to distribute. It uses simple DOS commands to
      completely screw up the target computer. It is the ONLY type of
      virus that can travel through text files and does not need to be
      executed. An Ansi Bomb can perform many virus-like tasks, from
      mere annoyances to complete destruction. Because of this, they are
      often the choice weapon a non-professional hacker uses to infect
      someone.
(ANSIBOMB.TXT 16%), (H)elp (F)ind (E)nd (P)gUp (T)op (>), More? 
2. How do Ansi Bombs work?

      Very well. But seriously... Unlike most viruses, which are written
      in a programming language (usually C or assembly), an Ansi Bomb can
      be written with a standard text editor. It uses a less-known feature
      of the DOS driver ANSI.SYS to reprogram the keyboard of the target
      computer. Any one key can be assigned to perform almost any function,
      including deleting files, formatting hard drives, or displaying a
      message. Ansi Bombs can also change one key into another, so that
      whenever you type "A" you get "B" instead. However, there are some
      limitations to Ansi Bombs. First, the target computer must have
      ANSI.SYS loaded (which most computers do). Second, an Ansi Bomb is
      wiped from memory during each boot, so the changes are not permanent.
      Third, the changes will not affect any program that bypasses ANSI.SYS.
      The standard MS-DOS Edit and any Windows programs are examples. But
      since most power users use the DOS prompt once in a while, the bomb
      will affect them. Fourth, you need a way to make the target computer
      read the file containing the bomb (which is fairly easy to do).

3. How do I make an Ansi Bomb?

      Since Ansi Bombs are almost as bad as virii, I'm only going to tell
(ANSIBOMB.TXT 33%), (H)elp (F)ind (E)nd (P)gUp (T)op (>), More?       you how to make an annoying bomb. If you want to make a destructive
      one, figure it out yourself :(. I'll give you a hint though: it
      involves the DOS Prompt and displaying a message.

      OK. For starters, a complete reference to ANSI.SYS is available for
      users of MS-DOS 6+. Just type "help ansi.sys". From now on I'm going
      to assume you know how do do simple tasks like run a program, cut and
      paste, copy a file, etc. Anyway, start by locating any old ANSI file.
      Why? Because Dos EDIT does not allow you to enter the ANSI escape code,
      which looks like an arrow pointing left. You can use cut/paste to get
      one from another ansi file. Now, if you read the help file above, you
      would have noticed the ANSI code to reprogram a keyboard, which is
      "ESC[(OldCode);(NewCode)p" where ESC is the left arrow and (OldCode)
      and (NewCode) are the keyboard scan codes (shown in the table at the
      bottom of the help file). (NewCode) can also be a text message, just
      enclose the message in quotes (" "). Note that the "p" at the end MUST
      be in lower case. Also, some of the codes for function keys have a
      semicolon in them, like "0;59" for F1. Just enter the code with the
      semicolon exactly as it appears.

      So where does this get us? Well, we can change the key "A" to display
      a "B" by using the code "ESC[65;66p". Or, we could display the
      message "You Suck" by entering 'ESC[65;"You Suck!"p' (I used single
(ANSIBOMB.TXT 49%), (H)elp (F)ind (E)nd (P)gUp (T)op (>), More?       quotes instead of double). Remember what I said about destructive
      bombs. Think what would happen if you replaced a letter with
      "del file.ext" (as long as the user is at the dos prompt, presses that
      letter, and then enter. there are ways around that though).

4. How do I implement an Ansi Bomb?

      Easy. Put those codes mentioned above in an ANSI file. In order to
      reduce suspicion, make sure to put all of the codes on the same line,
      one after another. You can also use the ANSI save position code
      ("ESC[s") and restore code ("ESC[u") to make sure the cursor doesn't
      move while the bomb is loading. So, a simple bomb might look like:
          "ESC[sESC[65;66pESC[105;107pESC[u"
      Of course, replace each ESC with the escape code and make sure to
      keep the letters in the correct case (it is case sensitive).

      But how do I force these onto someone? This takes some thought. If it
      is a live person, put the bomb in the middle of a cool ansi and show
      it to him/her on his/her computer. If it is a BBS, there are several
      options. Some BBS's allow ANSI codes in messages, so put the bomb in
      a message to the sysop or to the users. Some BBS's scan uploads, so
      you may be able to infect it that way. If your bomb is only one line
      long, put it as a oneliner message to infect everyone who calls the
(ANSIBOMB.TXT 66%), (H)elp (F)ind (E)nd (P)gUp (T)op (>), More?       BBS.

      A fairly recent option is to put the bomb in a ZIP comment. There are
      several freeware programs that add a comment to any ZIP file so that
      the comment is displayed upon unzip. However, most ZIP comment
      programs strip out ANSI codes, so be careful. If the BBS scans ZIP
      uploads, they are in for trouble now.

      These are just some suggestions. Try to think of others, amd if you do,
      send them to me.

5. How do I protect myself from Ansi Bombs?

      The most obvious solution is to REM out ANSI.SYS from your config.sys
      file. This is not the best option since some programs require it, and
      some programs emulate ANSI support anyway. If you are running ANSI.SYS
      with the "/X" parameter, REMOVE IT NOW! The "/X" parameter allows an
      Ansi Bomb to gain complete control of your keyboard at any time. This
      could be catostrophic if the creator was in a bad mood and put Format
      in there.

      If you call BBS's that you don't know much about (i.e. pirate boards),
      try turning off ANSI emulation on your first call. If you see any
(ANSIBOMB.TXT 82%), (H)elp (F)ind (E)nd (P)gUp (T)op (>), More?       suspicious ANSI codes, don't call back. If you download ANSI graphics,
      view them first with a text-only editior (MS-DOS Edit) and search for
      bombs (any code that ends with "p").

      If you notice your keyboard acting strangely, DON'T PRESS ANOTHER KEY!
      Unless you are doing something critical, or you strongly suspect a
      hardware problem, hit the RESET button (not Ctrl-Alt-Del because an
      Ansi Bomb could be linked to one of those keys). Boot with NO
      Config.Sys/Autoexec.Bat because there could be a bomb in one of them.
      Use a text-only viewer to check them out because an Ansi Code could
      have been added. Delete any ansi codes in these files (don't just REM
      them, this has no effect), and remove ANSI.SYS from your config.sys.
      Reboot and delete all recently downloaded files. Notify the infected
      BBS or user. I would scan my computer for conventional virii also,
      since a BBS that is infected once can easily be infected again. Once
      you are SURE that your system is clean, you may re-enable ANSI.SYS,
      and continue to look for odd keyboard behavior.

6. Document Revision

   v0.1   First release
   v0.2   Added /X parameter, hard reboot instead of Ctrl-Alt-Del
   v0.3   Fixed some spelling errors, revised and improved by users
(ANSIBOMB.TXT 99%), (H)elp (F)ind (E)nd (P)gUp (T)op (>), More?