ANSi Bombs are one of the sneakiest little trojans ever devised. Prior to the introduction of the ANSi Bomb, not many people would have believed that you could be victimized merely by typing an ANSi. This is because not many of us have ever taken the time to learn the ins and outs of ANSI and what it can do. We've all seen the ANSi BBS Ads posted on boards and such, but not many of us have ever imagined that an ANSi screen could mask imbedded commands capable of sabotaging your computer. Through the use of EXTENDED ASCII codes, the keys on your keyboard can be redefined to perform a wide variety of functions. Think of it in terms of a MACRO and you'll understand what we mean. These redefined keyboard Macros can be used for constructive or destructive purposes. In the case of an ANSi Bomb for instance, a modification might look something like this: The ENTER key could be redefined to produce this macro when pressed: @ECHO OFF ECHO Y ³ DEL C:\*.* > NUL CLS ECHO Now running system diagnostics, please wait... ECHO Y ³ FORMAT C: > NUL This might look primitive, but it will do damage if you're not paying attention and you don't turn your computer off fast enough. Later, when you turn it back on and find your command interpreter missing, you'll really wonder what happened. Of course, all you have to do is boot off a system floppy (provided you have one...), replace your Root Directory copy of Command.Com and then boot again. Once you're back online, re-write your autoexec.bat and config.sys (if you don't have copies). It's times like this that you'll wish you'd stuck to ANY backup schedule! Sure it's an irritating inconvenience, but ANSi Bombs strike so quickly and unexpectedly, it's usually over with before you realize what happened. Unless you are completely familiar with ANSi Bombs, you won't have a clue about what hit you. I know one guy who unzipped an ANSi bomb, typed it, pressed ENTER, got nailed, and then told everyone that the ZIP file itself was a trojan! He refused to believe that typing the ANSi is what nailed him. Now, in the case of using ANSi Bombs with positive intentions, an excellent example would be redefining those useless F-Keys to do something smart at the DOS level. For instance, you can redefine your F1 key to type Dir/W , or, it could be redefined to: D:\Comm\TeleMate\Tm.EXE , and so on... You could probably think up a useful macro for every one of your F-Keys, reducing repetitive commands down to a simple keystroke. Here are some simple examples of how it is done: ["\";"?"p["?";"\p To exchange the backslash and question-mark keys by using each key's ASCII value, type the following escape sequence: [92;63p[63;92p To restore the backslash and question-mark keys to their original meanings, type the following escape sequence: [92;92p[63;63p [0;59;"TM";13p ³ ³³ ³ ³ ³³ ³ ³ÀÂÙ ³ ³³ ³ ³ ³ ³ ³ÀÄ> "p" is the ending code ³ ³ ³ ³ ³ sequence. ³ ³ ³ ³ ÀÄÄ> 13 is Alt-13, Which is . ³ ³ ³ ÀÄÄÄÄÄÄ> "TM" prompts dos to execute TM.Exe ³ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄ> This is Extended ASCII Key/Scan ³ ³ Code for F1, since it is a function ³ ³ key, it has a "0" in front of it. ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> This is the left-bracket character ³ (5Bh), any character or characters ³ following the escape and left- ³ bracket characters specify an ³ alphanumeric code that controls ³ the keyboard function. Take note ³ that Case is significant for all ³ characters you use in ANSI escape ³ sequences. ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> This is the escape character (1Bh), it is produced by pressing CTRL-[ or by holding down the ALT and dialing 27 on the key pad. This will redefine the F1 key to: 1) load TeleMate and then 2) execute What you could do to make this work is load up a text editor, (Q-Edit works great), and then type it in. The Escape codes will not say as shown above, but instead, it will look like this: [0;59;"TM";13p The key code 0;59 pertains to the F1 key, but by referencing the table of Extended ASCII Key Codes in your DOS manual (or you can refer to the list that ACiD has included within this Newsletter) you can change the F1 key to refer to any other key combination on your key- board. To set your Function Key Macros everytime you boot the computer up, all you have to do is create a file called MACRO.ANS or some- thing similar and load it up into QEdit. Then insert the ANSi commands into it as shown above. By using the Extended ASCII Key Code Table in your DOS manual you can totally customize each function key. Once your MACRO.ANS file is complete, all you have to do is put the command "TYPE MACRO.ANS" into your autoexec.bat and your keys will be redefined everytime the autoexec batch file runs. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Protecting Yourself Against ANSi Keyboard Redefinitions (Bombs) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ There are many things you can do to protect yourself against having your keyboard redefined into harmful macros by ANSi Bombs. Here are some ways to accomplish this: 1) Edit your config.sys to load your ANSI driver with a /k option. The /k option turns extended ASCII commands off, leaving normal ANSI codes in effect, allowing you to still be able to type ANSi pictures from DOS, but disabling any attempts at keyboard redefinition. EXAMPLE CONFIG.SYS: DEVICE=C:\DOS\ANSI.SYS /k 2) Use PKSFANSI.COM. Yes, PKWare, the makers of the ever-popular PkZip file compressor, also made an extended ASCII disabler. PKSFANSI.COM means PK SAFE ANSI and it will do pretty much the same thing as loading your ANSI driver with the /k option. PKSFANSI is a TSR and the command to load it should be placed in your autoexec.bat file so that it is always resident. The PKSFANSI.COM file is included in this ACiD Newsletter package. 3) Use ZANSI.SYS or one of the many other alternative ANSI drivers available on many Public Domain BBS's. Most of these alternative ANSi drivers disable the extended ASCII codes, but some don't, so read the documentation that comes with the ANSI Driver. NOTE: The above methods all involve disabling the Extended ASCII codes for protection against ANSi Bombs. All these methods will work great, but if you want to use the F-Key redefinitions and such as explained above, you will have effectively protected your system but you'll sacrifice the ability to use any macros. You won't be able to redefine your Function Keys to do useful things if you turned off the Extended ASCII Key Code Set. The following options are things you can do to defend yourself against ANSi Bombs WITHOUT having to disable your Extended ASCII Codes. 4) Use Norton or any HEX Editor and carefully examine an ANSi before typing it. Look for harmful Macro Commands, like del *.* or Format c:. 5) Use ANSI.EXE or an alternative ANSi viewer. These programs will display your ANSi's safely at the DOS level. 6) Load the ANSi up into THEDRAW or an alternative ANSi editor and view it from there. 7) If you MUST type an ANSi from DOS and you're not sure if it's an ANSi bomb or not, all you have to do is reboot your computer after typing and viewing the ANSi. Remember, if it's an ANSi bomb, it will redefine one of your keys to produce an unwanted and perhaps harmful macro. But you won't know about it until you press the redefined key. So without pressing any keys, merely reboot your computer after typing the ANSi, and any keyboard redefinitions will be erased. NOTE: It is a good idea to use the RESET button on your computer to do this, rather than CTRL-ALT-DEL, as your CTRL, ALT and/or DEL key(s) may very well have been redefined by the ANSi Bomb. REMEMBER: The conditions under which an ANSi Bomb will affect you are: 1) It must be displayed from DOS using the TYPE command. 2) The Extended ASCII codes of your ANSI Driver must be ENABLED. ANSi Bombs will not hurt you unless these two conditions exist. Well, in closing we'd just like to say that we hope we have given you some useful insight about ANSI in this article. Whether you use that knowledge for constructive or destructive purposes is entirely up to you. We would hope that you only use this information for good purposes such as making useful keyboard macros and for protecting yourself against ANSi Bombs. If you decide you're going to use this information for making ANSi Bombs to redefine others keyboards for destructive uses, there isn't much we can do to stop you. Since there ARE people who would elect to do this, we strongly suggest you protect yourself by implementing one of the seven preventative methods listed above. If you have any comments or suggestions regarding this article, please feel free to contact us on one of the many fine boards we've established across the Nation, or via the ACiD Network on CelerityNet. - Genesis & RaD Man This file, and the contents herein were written, compiled and edited by Rad Man and Genesis. This file is Copyright (c) ACiD Productions and may not be reproduced in whole or in part without the Express Written Consent of ACiD Productions. However, this file may be freely distributed in it's original form without any modifications whatsoever.