051195 11:57:29am Checking Read request. Please wait ... The Ansi Bomb FAQ v0.4 by Jason L

Master Index Current Directory Index Go to SkepticTank Go to Human Rights activist Keith Henson Go to Scientology cult

Skeptic Tank!

*--* 05-11-95 - 11:57:29am *--* Checking Read request. Please wait ... The Ansi Bomb FAQ v0.4 by Jason Livingston, Sysop of Farpoint BBS (301)-593-4629 Internet:Jason-L@access.digex.net Table of Contents [1] What is an Ansi Bomb? [2] How do Ansi Bombs work? [3] How do I make an Ansi Bomb? [4] How do I implement an Ansi Bomb? [5] How do I protect myself from Ansi Bombs? [6] Document Revision 1. What is an Ansi Bomb? Hackers have always looked for better, faster, and easier ways to distribute virii. An "Ansi Bomb" is extremely easy to create, powerful, and easy to distribute. It uses simple DOS commands to completely screw up the target computer. It is the ONLY type of virus that can travel through text files and does not need to be executed. An Ansi Bomb can perform many virus-like tasks, from mere annoyances to complete destruction. Because of this, they are often the choice weapon a non-professional hacker uses to infect someone. (ANSIBOMB.TXT 16%), (H)elp (F)ind (E)nd (P)gUp (T)op (>), More? 2. How do Ansi Bombs work? Very well. But seriously... Unlike most viruses, which are written in a programming language (usually C or assembly), an Ansi Bomb can be written with a standard text editor. It uses a less-known feature of the DOS driver ANSI.SYS to reprogram the keyboard of the target computer. Any one key can be assigned to perform almost any function, including deleting files, formatting hard drives, or displaying a message. Ansi Bombs can also change one key into another, so that whenever you type "A" you get "B" instead. However, there are some limitations to Ansi Bombs. First, the target computer must have ANSI.SYS loaded (which most computers do). Second, an Ansi Bomb is wiped from memory during each boot, so the changes are not permanent. Third, the changes will not affect any program that bypasses ANSI.SYS. The standard MS-DOS Edit and any Windows programs are examples. But since most power users use the DOS prompt once in a while, the bomb will affect them. Fourth, you need a way to make the target computer read the file containing the bomb (which is fairly easy to do). 3. How do I make an Ansi Bomb? Since Ansi Bombs are almost as bad as virii, I'm only going to tell (ANSIBOMB.TXT 33%), (H)elp (F)ind (E)nd (P)gUp (T)op (>), More? you how to make an annoying bomb. If you want to make a destructive one, figure it out yourself :(. I'll give you a hint though: it involves the DOS Prompt and displaying a message. OK. For starters, a complete reference to ANSI.SYS is available for users of MS-DOS 6+. Just type "help ansi.sys". From now on I'm going to assume you know how do do simple tasks like run a program, cut and paste, copy a file, etc. Anyway, start by locating any old ANSI file. Why? Because Dos EDIT does not allow you to enter the ANSI escape code, which looks like an arrow pointing left. You can use cut/paste to get one from another ansi file. Now, if you read the help file above, you would have noticed the ANSI code to reprogram a keyboard, which is "ESC[(OldCode);(NewCode)p" where ESC is the left arrow and (OldCode) and (NewCode) are the keyboard scan codes (shown in the table at the bottom of the help file). (NewCode) can also be a text message, just enclose the message in quotes (" "). Note that the "p" at the end MUST be in lower case. Also, some of the codes for function keys have a semicolon in them, like "0;59" for F1. Just enter the code with the semicolon exactly as it appears. So where does this get us? Well, we can change the key "A" to display a "B" by using the code "ESC[65;66p". Or, we could display the message "You Suck" by entering 'ESC[65;"You Suck!"p' (I used single (ANSIBOMB.TXT 49%), (H)elp (F)ind (E)nd (P)gUp (T)op (>), More? quotes instead of double). Remember what I said about destructive bombs. Think what would happen if you replaced a letter with "del file.ext" (as long as the user is at the dos prompt, presses that letter, and then enter. there are ways around that though). 4. How do I implement an Ansi Bomb? Easy. Put those codes mentioned above in an ANSI file. In order to reduce suspicion, make sure to put all of the codes on the same line, one after another. You can also use the ANSI save position code ("ESC[s") and restore code ("ESC[u") to make sure the cursor doesn't move while the bomb is loading. So, a simple bomb might look like: "ESC[sESC[65;66pESC[105;107pESC[u" Of course, replace each ESC with the escape code and make sure to keep the letters in the correct case (it is case sensitive). But how do I force these onto someone? This takes some thought. If it is a live person, put the bomb in the middle of a cool ansi and show it to him/her on his/her computer. If it is a BBS, there are several options. Some BBS's allow ANSI codes in messages, so put the bomb in a message to the sysop or to the users. Some BBS's scan uploads, so you may be able to infect it that way. If your bomb is only one line long, put it as a oneliner message to infect everyone who calls the (ANSIBOMB.TXT 66%), (H)elp (F)ind (E)nd (P)gUp (T)op (>), More? BBS. A fairly recent option is to put the bomb in a ZIP comment. There are several freeware programs that add a comment to any ZIP file so that the comment is displayed upon unzip. However, most ZIP comment programs strip out ANSI codes, so be careful. If the BBS scans ZIP uploads, they are in for trouble now. These are just some suggestions. Try to think of others, amd if you do, send them to me. 5. How do I protect myself from Ansi Bombs? The most obvious solution is to REM out ANSI.SYS from your config.sys file. This is not the best option since some programs require it, and some programs emulate ANSI support anyway. If you are running ANSI.SYS with the "/X" parameter, REMOVE IT NOW! The "/X" parameter allows an Ansi Bomb to gain complete control of your keyboard at any time. This could be catostrophic if the creator was in a bad mood and put Format in there. If you call BBS's that you don't know much about (i.e. pirate boards), try turning off ANSI emulation on your first call. If you see any (ANSIBOMB.TXT 82%), (H)elp (F)ind (E)nd (P)gUp (T)op (>), More? suspicious ANSI codes, don't call back. If you download ANSI graphics, view them first with a text-only editior (MS-DOS Edit) and search for bombs (any code that ends with "p"). If you notice your keyboard acting strangely, DON'T PRESS ANOTHER KEY! Unless you are doing something critical, or you strongly suspect a hardware problem, hit the RESET button (not Ctrl-Alt-Del because an Ansi Bomb could be linked to one of those keys). Boot with NO Config.Sys/Autoexec.Bat because there could be a bomb in one of them. Use a text-only viewer to check them out because an Ansi Code could have been added. Delete any ansi codes in these files (don't just REM them, this has no effect), and remove ANSI.SYS from your config.sys. Reboot and delete all recently downloaded files. Notify the infected BBS or user. I would scan my computer for conventional virii also, since a BBS that is infected once can easily be infected again. Once you are SURE that your system is clean, you may re-enable ANSI.SYS, and continue to look for odd keyboard behavior. 6. Document Revision v0.1 First release v0.2 Added /X parameter, hard reboot instead of Ctrl-Alt-Del v0.3 Fixed some spelling errors, revised and improved by users (ANSIBOMB.TXT 99%), (H)elp (F)ind (E)nd (P)gUp (T)op (>), More?


E-Mail Fredric L. Rice / The Skeptic Tank