*--* 05-11-95 - 11:57:29am *--*
Checking Read request. Please wait ...
The Ansi Bomb FAQ v0.4
by Jason Livingston, Sysop of Farpoint BBS (301)-593-4629
Table of Contents
 What is an Ansi Bomb?
 How do Ansi Bombs work?
 How do I make an Ansi Bomb?
 How do I implement an Ansi Bomb?
 How do I protect myself from Ansi Bombs?
 Document Revision
1. What is an Ansi Bomb?
Hackers have always looked for better, faster, and easier ways to
distribute virii. An "Ansi Bomb" is extremely easy to create,
powerful, and easy to distribute. It uses simple DOS commands to
completely screw up the target computer. It is the ONLY type of
virus that can travel through text files and does not need to be
executed. An Ansi Bomb can perform many virus-like tasks, from
mere annoyances to complete destruction. Because of this, they are
often the choice weapon a non-professional hacker uses to infect
(ANSIBOMB.TXT 16%), (H)elp (F)ind (E)nd (P)gUp (T)op (>), More?
2. How do Ansi Bombs work?
Very well. But seriously... Unlike most viruses, which are written
in a programming language (usually C or assembly), an Ansi Bomb can
be written with a standard text editor. It uses a less-known feature
of the DOS driver ANSI.SYS to reprogram the keyboard of the target
computer. Any one key can be assigned to perform almost any function,
including deleting files, formatting hard drives, or displaying a
message. Ansi Bombs can also change one key into another, so that
whenever you type "A" you get "B" instead. However, there are some
limitations to Ansi Bombs. First, the target computer must have
ANSI.SYS loaded (which most computers do). Second, an Ansi Bomb is
wiped from memory during each boot, so the changes are not permanent.
Third, the changes will not affect any program that bypasses ANSI.SYS.
The standard MS-DOS Edit and any Windows programs are examples. But
since most power users use the DOS prompt once in a while, the bomb
will affect them. Fourth, you need a way to make the target computer
read the file containing the bomb (which is fairly easy to do).
3. How do I make an Ansi Bomb?
Since Ansi Bombs are almost as bad as virii, I'm only going to tell
(ANSIBOMB.TXT 33%), (H)elp (F)ind (E)nd (P)gUp (T)op (>), More? you how to make an annoying bomb. If you want to make a destructive
one, figure it out yourself :(. I'll give you a hint though: it
involves the DOS Prompt and displaying a message.
OK. For starters, a complete reference to ANSI.SYS is available for
users of MS-DOS 6+. Just type "help ansi.sys". From now on I'm going
to assume you know how do do simple tasks like run a program, cut and
paste, copy a file, etc. Anyway, start by locating any old ANSI file.
Why? Because Dos EDIT does not allow you to enter the ANSI escape code,
which looks like an arrow pointing left. You can use cut/paste to get
one from another ansi file. Now, if you read the help file above, you
would have noticed the ANSI code to reprogram a keyboard, which is
"ESC[(OldCode);(NewCode)p" where ESC is the left arrow and (OldCode)
and (NewCode) are the keyboard scan codes (shown in the table at the
bottom of the help file). (NewCode) can also be a text message, just
enclose the message in quotes (" "). Note that the "p" at the end MUST
be in lower case. Also, some of the codes for function keys have a
semicolon in them, like "0;59" for F1. Just enter the code with the
semicolon exactly as it appears.
So where does this get us? Well, we can change the key "A" to display
a "B" by using the code "ESC[65;66p". Or, we could display the
message "You Suck" by entering 'ESC[65;"You Suck!"p' (I used single
(ANSIBOMB.TXT 49%), (H)elp (F)ind (E)nd (P)gUp (T)op (>), More? quotes instead of double). Remember what I said about destructive
bombs. Think what would happen if you replaced a letter with
"del file.ext" (as long as the user is at the dos prompt, presses that
letter, and then enter. there are ways around that though).
4. How do I implement an Ansi Bomb?
Easy. Put those codes mentioned above in an ANSI file. In order to
reduce suspicion, make sure to put all of the codes on the same line,
one after another. You can also use the ANSI save position code
("ESC[s") and restore code ("ESC[u") to make sure the cursor doesn't
move while the bomb is loading. So, a simple bomb might look like:
Of course, replace each ESC with the escape code and make sure to
keep the letters in the correct case (it is case sensitive).
But how do I force these onto someone? This takes some thought. If it
is a live person, put the bomb in the middle of a cool ansi and show
it to him/her on his/her computer. If it is a BBS, there are several
options. Some BBS's allow ANSI codes in messages, so put the bomb in
a message to the sysop or to the users. Some BBS's scan uploads, so
you may be able to infect it that way. If your bomb is only one line
long, put it as a oneliner message to infect everyone who calls the
(ANSIBOMB.TXT 66%), (H)elp (F)ind (E)nd (P)gUp (T)op (>), More? BBS.
A fairly recent option is to put the bomb in a ZIP comment. There are
several freeware programs that add a comment to any ZIP file so that
the comment is displayed upon unzip. However, most ZIP comment
programs strip out ANSI codes, so be careful. If the BBS scans ZIP
uploads, they are in for trouble now.
These are just some suggestions. Try to think of others, amd if you do,
send them to me.
5. How do I protect myself from Ansi Bombs?
The most obvious solution is to REM out ANSI.SYS from your config.sys
file. This is not the best option since some programs require it, and
some programs emulate ANSI support anyway. If you are running ANSI.SYS
with the "/X" parameter, REMOVE IT NOW! The "/X" parameter allows an
Ansi Bomb to gain complete control of your keyboard at any time. This
could be catostrophic if the creator was in a bad mood and put Format
If you call BBS's that you don't know much about (i.e. pirate boards),
try turning off ANSI emulation on your first call. If you see any
(ANSIBOMB.TXT 82%), (H)elp (F)ind (E)nd (P)gUp (T)op (>), More? suspicious ANSI codes, don't call back. If you download ANSI graphics,
view them first with a text-only editior (MS-DOS Edit) and search for
bombs (any code that ends with "p").
If you notice your keyboard acting strangely, DON'T PRESS ANOTHER KEY!
Unless you are doing something critical, or you strongly suspect a
hardware problem, hit the RESET button (not Ctrl-Alt-Del because an
Ansi Bomb could be linked to one of those keys). Boot with NO
Config.Sys/Autoexec.Bat because there could be a bomb in one of them.
Use a text-only viewer to check them out because an Ansi Code could
have been added. Delete any ansi codes in these files (don't just REM
them, this has no effect), and remove ANSI.SYS from your config.sys.
Reboot and delete all recently downloaded files. Notify the infected
BBS or user. I would scan my computer for conventional virii also,
since a BBS that is infected once can easily be infected again. Once
you are SURE that your system is clean, you may re-enable ANSI.SYS,
and continue to look for odd keyboard behavior.
6. Document Revision
v0.1 First release
v0.2 Added /X parameter, hard reboot instead of Ctrl-Alt-Del
v0.3 Fixed some spelling errors, revised and improved by users
(ANSIBOMB.TXT 99%), (H)elp (F)ind (E)nd (P)gUp (T)op (>), More?