Chronology Current Month Current Thread Current Date
[Year List] [Month List (current year)] [Date Index] [Thread Index] [Thread Prev] [Thread Next] [Date Prev] [Date Next]

F.Y.I. CIAC Bulletin J-037: W97M.Melissa Word Macro Virus



hi everyone,
Here is the low down on the latest virus that is apparently
widespread and taking down some e-mail systems. From my understanding,
you are OK as long as you do not open a message from <name> with the
subject: Very Important Message from <Name>. I can sum it better if
there are any requests.


Sam Held


------- Forwarded Message

Date: Sat, 27 Mar 1999 12:45:38 -0800 (PST)
From: CIAC Mail User <ciac@rumpole.llnl.gov>
Message-ID: <199903272045.MAA07648@rumpole.llnl.gov>
To: ciac-bulletin@rumpole.llnl.gov
Subject: CIAC Bulletin J-037: W97M.Melissa Word Macro Virus
Sender: owner-ciac-bulletin@rumpole.llnl.gov
Precedence: bulk

[ For Public Release ]
-----BEGIN PGP SIGNED MESSAGE-----


__________________________________________________________

The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________

INFORMATION BULLETIN

W97M.Melissa Word Macro Virus

March 27, 1999 17:00 GMT Number
J-037
________________________________________________________________________
_____
PROBLEM: A new Word 97 macro virus named W97M.Malissa has been
detected
at multiple DOE sites and is known to be spreading
widely. The
virus uses Microsoft Outlook to e-mail the infected
document
to the first 50 people from each of your Outlook address
books.
PLATFORM: Windows 95 or Windows NT running Microsoft Word 97
(version 8)
or Word 2000 (version 9) and Microsoft Outlook. Word 98
on the
Macintosh is probably not vulnerable because the virus
uses
the Windows registry, but that has not been verified yet.

Outlook Express and other mail readers are not
vulnerable.
DAMAGE: It overwrites the first macro in open documents and in
the
normal.dot template with the macro virus code. It turns
off
macro detection in Word. It sends copies of the infected
document to up to 50 people from each of your Outlook
address
books.
SOLUTION: Use an updated antivirus product. Some vendors have a
solution
available but in many cases you must go to the vendors
web
site to get it. Do not depend on the automatic or live
update
feature of an antivirus package to get the detector for
this
virus. Additional precautions are to password protect the

normal.dot file, turn on macro virus detection in Word,
and DO
NOT OPEN attachments to mail messages with the subject
"Important Message From " and the contents "Here is that
document you asked for ... don't show anyone else ;-)"
without
checking with the sender. Alert your computer security
officers if you receive such messages.
________________________________________________________________________
_____
VULNERABILITY Risk of infection is high. This virus is spreading widely

ASSESSMENT: within and without of the DOE complex. The risk of damage
to
your system is low because most users do not have macros
in
files and would be alerted by Word's macro detector. The
risk
of lostproductivity and lost mail messages is high as
mail
servers may have to be shut down and purged of infected
mail
messages.
________________________________________________________________________
_____
CIAC has critical information about the W97M.Melissa Word Macro Virus

The W97M.Malissa Word macro virus has been seen within the DOE complex.
This
macro virus attaches to Word objects in Word 97 and Word 2000. Because
of
this method of infection, this virus will not infect older versions of
Microsoft Word. When an infected document is opened, the virus checks to

see if Word 97 or Word 2000 is installed and then disables the Macro
toolbar.
It then disables the following Word options:

Confirm conversions at open.
Macro virus protection.
Prompt to save Normal template.

Disabling these options makes it difficult to detect the virus in
action. The
virus next checks the value of the private registry string:

HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa?

If that string is not equal to "... by Kwyjibo" the virus sends copies
of the
infected document to the first 50 people in each of your Outlook address

books and then sets the registry key so it does not do this again. It
sends
copies of the infected document to others by opening a connection to
Microsoft
Outlook and creating an e-mail message with the subject:

Important Message From <username>

where <username> is replaced with the current Word user's name (Tools,
Options
command, User Information tab). The body of the message contains the
following
text:

Here is that document you asked for ... don't show anyone else ;-)

The virus then inserts the first 50 users from your Outlook address
book,
attaches the infected document and sends the message. It does this for
however
many address books you have defined in Outlook.

After sending itself to the people in your address books, the virus then
checks to see if it is running on a document or the Normal.dot template.
If
it is running on a document, it infects the Normal.dot template with a
Document_Close macro that runs whenever a document is closed. If it is
running on the Normal.dot template, it infects the active document with
a
Document_Open macro that runs whenever a document is opened. After the
Normal.dot template is infected, the virus infects every document you
work
on as soon as you close them. If you share these documents with anyone,
you
will spread the virus.

Finally, if the minute of the hour equals the day of the month, the
virus
inserts the following message at the current location in the active
document.

Twenty-two points, plus triple-word-score, plus fifty points for using

all my letters. Game's over. I'm outta here.

Detecting The Virus
===================

Several antivirus vendors have a detection and cleaning capability for
this
virus; however, you must go to the vendors web site to get the scanner
updates. Scanners with automatic or live update features do not yet get
the
update required to find and clean this virus. While we expect the
detection
strings to be in the automatic updates in the near future, for the next
week or two you should get the scanner directly from your vendor's web
site.
We have verified that the Norton Antivirus updater obtained from the
Symantec web site
(http://www.symantec.com/techsupp/custom/mailissa.html)
does detect the virus, the current live update does not. We have
reliable
information that McAfee (http://vil.mcafee.com/vil/vm10120.asp), and
Trend Micro
(http://housecall.antivirus.com/smex_housecall/technotes.html)
also have detection capabilities.

If you receive an e-mail with the following subject and body, DO NOT
OPEN the
attachment.

Subject:
Important Message From <username>
Body:
Here is that document you asked for ... don't show anyone else ;-)

Make sure the sender is someone you know and then ask them if they
really
sent you the attachment before opening it. If they did not send it, do
not
open the attachment and contact your computer security manager. The most

common name for the attached file is list1.doc but that name can change.

If the following text appears in a document without your putting it
there,
your normal.dot template is infected and your Word program is infecting
all
documents when you close them.

Twenty-two points, plus triple-word-score, plus fifty points for using

all my letters. Game's over. I'm outta here.


Another option to see if a system has been infected is to use Regedit
and
search for the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa?

If that key exists and has the value "... by Kwyjibo" the system has
been
infected at some time. Note that the infection may have been removed
without
deleting the key. This key can be deleted, but does no damage if left
alone.

Protecting A System
===================

The first step in protecting a system is to have a current antivirus
package
running on your system. Be sure to update it at least once a month. Many
of
the newer antivirus scanners have the capability to automatically update
themselves every couple of weeks.

To protect Word from this and other Word macro viruses, first insure
that Word
has been patched with the Word 97 Template vulnerability patch
(http://www.microsoft.com/security/bulletins/ms99-002.asp); second, the
normal.dot template file should be password protected; and third, the
following Word 97 options should be enabled.

Confirm conversions at open.
Macro virus protection.
Prompt to save Normal template.

Password Protecting The Normal.dot File
- - - - - ---------------------------------------

To password protect the Normal.dot file in Word 97, perform these steps:

1. Start Word.
2. Choose the Tools, Macro, Visual Basic Editor command.
3. In the Project window of the Visual Basic Editor, click on Normal.
4. Choose the Tools, Normal Properties command, Protection tab.
5. Check the Lock Project for Viewing check box and type in a password
twice.
6. Close the dialog box, close the Visual Basic editor.
7. Quit Word.

The next time you start Word, the normal.dot template will be protected.


WARNING: If you ever have to type in the password to make changes to the

normal.dot file be aware that the file remains unprotected until you
quit
Word and restart it.

Turning On Macro Virus Protection and Other Options
- ---------------------------------------------------

Some simple macro virus protection is built into Word 97. It does not
detect
specific macro viruses but only informs you if macros exist on a
document you
are trying to open. Macros detected by Macro Virus Protection are not
necessarily a virus. However, if you are alerted to a macro attached to
a
document you should be extremely wary because most people do not have
macros
attached to their documents.

Other options to set are:

Confirm conversions at open. This makes Word display a dialog box if
it is converting a document from one format to another.

Prompt to save Normal template. This makes Word display a dialog box
asking you to confirm changes to the Normal.dot template. Most
macro viruses hide in Normal.dot so this lets you know that there
has been a change that you may want to prevent. Changes also occur
when you change the default font or one of the built-in styles.


To turn on macro virus protection and these other options, perform these
steps:

1. Start Word.
2. Choose the Tools, Options command, General tab.
3. Check the Macro Virus Protection check box.
4. Check the Confirm conversions at open check box.
5. Choose the Save tab.
6. Check the Prompt to save Normal template check box.
4. Close the dialog box.

Whenever you open a document that contains macros, the macro virus
protection
opens a dialog box telling you that there are macros in the document and
giving you the option to: Open the document with the macros enabled,
open
the document without the macros, or cancel the open operation. You
should
only open a document with macros enabled if you are expecting there to
be
macros on that document and you know what they are supposed to do.

Detecting the Virus With a Mail Server
======================================

If a site has been infected you may need to block the virus infected
mail
messages with your mail servers. The following filter was written by
Scott
Hutton (Lead Security Engineer, Information Technology Security Office)
of
Indiana University. As Scott mentions, this filter blocks all messages
with
the text "Important Message From" in the subject line, which may block
messages that do not contain the virus. Use this filter at your own
discretion.

===== start included text ======
We blocked this on our mail relays through the following additions to
the sendmail.cf:

HSubject: $>CheckSubject
SCheckSubject
RImportant Message From $+ $#error $: 553 Subject Error
R$* $@ OK

Don't forget that there are tabs before $#error and $@ OK. This will
block any message where the subject begins with "Important Message
From ...", which may be too rash of an action at your site.

===== end included text ======

Another filter was obtained by the CERT team from Nick Christenson of
sendmail.com

ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-99-04-sendmail-melissa
-
filter.txt
________________________________________________________________________
_____
Thanks to Scott Hutton for the preliminary analysis and for a sendmail
filter. Thanks to CERT and Nick Christenson of sendmail.com for another
sendmail filter.
________________________________________________________________________
_____

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 925-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

World Wide Web: http://www.ciac.org/
(or http://ciac.llnl.gov -- they're the same
machine)
Anonymous FTP: ftp.ciac.org
(or ciac.llnl.gov -- they're the same machine)
Modem access: +1 (925) 423-4753 (28.8K baud)
+1 (925) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
(SPI) software updates, new features, distribution and
availability;
3. SPI-NOTES, for discussion of problems and solutions regarding the
use of SPI products.

Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:

E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
subscribe list-name
e.g., subscribe ciac-bulletin

You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email. This is a partial protection to make sure
you are really the one who asked to be signed up for the list in
question.

If you include the word 'help' in the body of an email to the above
address,
it will also send back an information file on how to
subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

J-026: HP-UX rpc.pcnfsd Vulnerability
J-027: Digital Unix Vulnerabilities ( at , inc )
J-028: Sun Solaris Vulnerabilities (sdtcm_convert, man/catman, CDE)
J-029: Buffer Overflows in Various FTP Servers
J-030: Microsoft BackOffice Vulnerability
J-031: Debian Linux "Super" package Buffer Overflow
J-032: Windows Backdoors Update II:
J-034: Cisco 7xx TCP and HTTP Vulnerabilities
J-035: Linux Blind TCP Spoofing
J-036: LDAP Buffer overflow against Microsoft Directory Services


-----BEGIN PGP SIGNATURE-----
Version: PGP for Business Security 5.5.2

iQCVAwUBNv07sLnzJzdsy3QZAQEZjwQA6+nHONNAmoosXGsy9eJ6nuIPlFNQ3nM9
+XN1vnqBNI9Hp3kBIXtPXywY4W19NQbyyax6YI+ugmmNfNPEdefeHqnNGuz3dqcW
Ce2RQWnPB1dRrUBTorU+cZHsaq+qaX4s2jSNFlJCFeSuUjNYhzVI6HHilhvGZCQI
wuSjLbuYabo=
=KVaC
-----END PGP SIGNATURE-----









Date: Sat, 27 Mar 1999 07:08:30 -0500
Message-ID: <199903271208.HAA17869@coal.cert.org>
From: CERT Advisory <cert-advisory@cert.org>
To: cert-advisory@coal.cert.org
Subject: CERT Advisory CA-99.04 - Melissa Macro Virus
Reply-To: cert-advisory-request@cert.org
Organization: CERT(sm) Coordination Center - +1 412-268-7090

- -----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-99-04-Melissa-Macro-Virus

Original issue date: Saturday March 27 1999
Last Revised: Saturday March 27, 1999

Systems Affected

* Machines with Microsoft Word 97 or Word 2000
* Any mail handling system could experience performance problems or
a denial of service as a result of the propagation of this macro
virus.

Overview

At approximately 2:00 PM GMT-5 on Friday March 26 1999 we began
receiving reports of a Microsoft Word 97 and Word 2000 macro virus
which is propagating via email attachments. The number and variety of
reports we have received indicate that this is a widespread attack
affecting a variety of sites.

Our analysis of this macro virus indicates that human action (in the
form of a user opening an infected Word document) is required for
this
virus to propagate. It is possible that under some mailer
configurations, a user might automatically open an infected document
received in the form of an email attachment. This macro virus is not
known to exploit any new vulnerabilities. While the primary transport
mechanism of this virus is via email, any way of transferring files
can also propagate the virus.

Anti-virus software vendors have called this macro virus the Melissa
macro or W97M_Melissa virus.

I. Description

The Melissa macro virus propagates in the form of an email message
containing an infected Word document as an attachment. The transport
message has most frequently been reported to contain the following
Subject header

Subject: Important Message From <name>

Where <name> is the full name of the user sending the message.

The body of the message is a multipart MIME message containing two
sections. The first section of the message (Content-Type: text/plain)
contains the following text.

Here is that document you asked for ... don't show anyone else ;-)

The next section (Content-Type: application/msword) was initially
reported to be a document called "list.doc". This document contains
references to pornographic web sites. As this macro virus spreads we
are likely to see documents with other names. In fact, under certain
conditions the virus may generate attachments with documents created
by the victim.

When a user opens an infected .doc file with Microsoft Word97 or
Word2000, the macro virus is immediately executed if macros are
enabled.

Upon execution, the virus first lowers the macro security settings to
permit all macros to run when documents are opened in the future.
Therefore, the user will not be notified when the virus is executed
in
the future.

The macro then checks to see if the registry key

"HKEY_Current_User\Software\Microsoft\Office\Melissa?"

has a value of "... by Kwyjibo". If that registry key does not exist
or does not have a value of "... by Kwyjibo", the virus proceeds to
propagate itself by sending an email message in the format described
above to the first 50 entries in every MAPI address book readable by
the user executing the macro. Keep in mind that if any of these email
addresses are mailing lists, the message will be delivered to
everyone
on the mailing lists. In order to successfully propagate, the
affected
machine must have Microsoft Outlook installed; however, Outlook does
not need to be the mailer used to read the message.

Next, the macro virus sets the value of the registry key to "... by
Kwyjibo". Setting this registry key causes the virus to only
propagate
once per session. If the registry key does not persist through
sessions, the virus will propagate as described above once per every
session when a user opens an infected document. If the registry key
persists through sessions, the virus will no longer attempt to
propagate even if the affected user opens an infected document.

The macro then infects the Normal.dot template file. By default, all
Word documents utilize the Normal.dot template; thus, any newly
created Word document will be infected. Because unpatched versions of
Word97 may trust macros in templates the virus may execute without
warning. For more information please see:

http://www.microsoft.com/security/bulletins/ms99-002.asp

Finally, if the minute of the hour matches the day of the month at
this point, the macro inserts into the current document the message
"Twenty-two points, plus triple-word-score, plus fifty points for
using all my letters. Game's over. I'm outta here."

Note that if you open an infected document with macros disabled and
look at the list of macros in this document, neither Word97 nor
Word2000 list the macro. The code is actually VBA (Visual Basic for
Applications) code associated with the "document.open" method. You
can
see the code by going into the Visual Basic editor.

If you receive one of these messages, keep in mind that the message
came from someone who is affected by this virus and they are not
necessarily targeting you. We encourage you to contact any users from
which you have received such a message. Also, we are interested in
understanding the scope of this activity; therefore, we would
appreciate if you would report any instance of this activity to us
according to our Incident Reporting Guidelines document available at:

http://www.cert.org/tech_tips/incident_reporting.html

II. Impact

* Users who open an infected document in Word97 or Word2000 with
macros enabled will infect the Normal.dot template causing any
documents referencing this template to be infected with this
macro
virus. If the infected document is opened by another user, the
document, including the macro virus, will propagate. Note that
this could cause the user's document to be propagated instead of
the original document, and thereby leak sensitive information.

* Indirectly, this virus could cause a denial of service on mail
servers. Many large sites have reported performance problems with
their mail servers as a result of the propagation of this virus.

III. Solutions

* Block messages with the signature of this virus at your mail
transfer
agents.

With Sendmail

Nick Christenson of sendmail.com provided information about
configuring sendmail to filter out messages that may contain the
Melissa virus. This information is available from the follow URL:

ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-99-04-sendmail-m
elissa-filter.txt

* Utilize virus scanners

Most virus scanning tools will detect and clean macro viruses. In
order to detect and clean current viruses you must keep your
scanning tools up to date with the latest definition files.

+ McAfee / Network Associates

http://vil.mcafee.com/vil/vm10120.asp

http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp

+ Symantec

http://www.symantec.com/avcenter/venc/data/mailissa.html

+ Trend Micro

http://housecall.antivirus.com/smex_housecall/technotes.html

* Encourage users at your site to disable macros in Microsoft Word

Notify all of your users of the problem and encourage them to
disable macros in Word. You may also wish to encourage users to
disable macros in any product that contains a macro language as
this sort of problem is not limited to Microsoft Word.

In Word97 you can disable automatic macro execution (click
Tools/Options/General then turn on the 'Macro virus protection'
checkbox). In Word2000 macro execution is controlled by a
security
level variable similar to Internet Explorer (click on
Tools/Macro/Security and choose High, Medium, or Low). In that
case, 'High' silently ignores the VBA code, Medium prompts in the
way Word97 does to let you enable or disable the VBA code, and
'Low' just runs it.

Word2000 supports Authenticode on the VB code. In the 'High'
setting you can specify sites that you trust and code from those
sites will run.

* General protection from Word Macro Viruses

For information about macro viruses in general, we encourage you
to review the document "Free Macro AntiVirus Techniques" by
Chengi
Jimmy Kuo which is available at.

http://www.nai.com/services/support/vr/free.asp

Acknowledgements

We would like to thank Jimmy Kuo of Network Associates, Eric Allman
and Nick Christenson of sendmail.com, Dan Schrader of Trend Micro,
and
Jason Garms and Karan Khanna of Microsoft for providing information
used in this advisory.

Additionally we would like to thank the many sites who reported this
activity.

______________________________________________________________________

This document is available from:
http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html.

______________________________________________________________________

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key.
If you prefer to use DES, please call the CERT hotline for more
information.

Getting security information

CERT publications and other security information are available from
our web site http://www.cert.org/.

To be added to our mailing list for advisories and bulletins, send
email to cert-advisory-request@cert.org and include SUBSCRIBE
your-email-address in the subject of your message.

Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be
found in http://www.cert.org/legal_stuff.html.

* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office

______________________________________________________________________

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed
or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.

______________________________________________________________________

Revision History

- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNvy9H3VP+x0t4w7BAQG1ggP7B8ItzTRpkP2O8JK7olIOdmn072PIZZxE
mJDW+A9fLDvRZQlVDSsFz/aH8ivmhor5ZbvtT14OmfIZWvxYdFnbO/s2WYL7+fV5
jL6mSb4AJ6lRXIYii+t22V0lvqJdP6VRFqy9EibpMtU2dhgFYf3TKX5e6wajOmBx
bZ6Ef5jPilA=
=aABH
- -----END PGP SIGNATURE-----

------- End of Forwarded Message