Chris Mosby at myITforum.com

********************************************************************

Title: Microsoft Security Advisory Notification

Issued: March 31, 2007

********************************************************************

Security Advisories Updated or Released Today ==============================================

* Microsoft Security Advisory (935423)

- Title: Vulnerability in Windows Animated Cursor Handling

- http://www.microsoft.com/technet/security/advisory/935423.mspx

- Revision Note: Advisory revised to add additional information regarding Windows 2003 Service Pack 2, Microsoft Windows Server 2003 with SP2 for Itanium-based Systems, and Microsoft Windows Server 2003 x64 Edition Service Pack 2 in the "Related Software"

section.

********************************************************************

Update on Microsoft Security Advisory 935423

Hello everyone,

This is Christopher Budd. We’ve gotten some questions from customers around the security advisory that we released yesterday, Microsoft Security Advisory (935423). Specifically, we’ve been getting questions about:

·        When we learned about the vulnerability

·        When we learned about the attack

·        What we’re doing to help protect customers

·        When we expect to release an update

·        Our recommendation around 3rd party workarounds or updates

 

I wanted to take a few minutes to answer these questions and give you the latest information on the situation.

When we learned about the vulnerability

We were first made aware of the vulnerability in Windows Animated Cursor Handling on December 20, 2006 when it was responsibly reported to us by a security researcher at Determina. My colleague Adrian Stone took the report and immediately began an investigation, working with Determina on the issue. We have been working on this investigation since December to fully understand the issue and have been working to develop a comprehensive update as part of our standard MSRC process. Determina has been and continues to work with us responsibly on this issue, and we thank them for helping us to protect customers.

When we learned about the attack

We first learned about the attack when were notified on Wednesday March 28, 2007 afternoon by McAfee through our Microsoft Security Response Alliance (MSRA) program. McAfee contacted us about a new, limited attack using an unknown method. We immediately initiated our Software Security Incident Response Process (SSIRP) to investigate the issue. Our investigation determined that the attack was utilizing this particular vulnerability. Our security teams worked overnight, and we released Microsoft Security Advisory (935423) on the morning of March 29, 2007 with information about the situation and steps that customers can take to protect themselves.

It is important to note that this issue wasn’t publicly disclosed by Determina. Sometimes issues that are reported to us responsibly by a security researcher are later found independently by other researchers who choose not to handle that issue responsibly and that is the case here.

What we’re doing to help protect customers

When we initiate our SSIRP process for an issue like this, our teams work constantly until the issue is resolved and customers are protected. We published the security advisory as part of that process, but that’s not all we do, and we don’t stop once we publish the advisory. As part of our SSIRP process we have multiple teams focused on ongoing work that can help better protect customers while we are working on a security update and we’re using them fully in this incident.

Our teams that focus on working with our partners through the MSRA have provided information to these partners through the MSRA that they can use to build signatures for products such as antivirus and intrusion detection and protection systems. These signatures can detect and protect against attempts to exploit the specific vulnerability. We also work with these partners to constantly monitor the threat environment for any changes which helps us with our ongoing assessment of the situation. We’ve also worked with partners and law enforcement to remove malicious sites that are attempting to exploit this vulnerability when our investigations have uncovered them.

We also have people like Jonathan on our security teams who continuously investigate the technical issues to better understand them and come up with more and better ways customers can protect themselves. As we have new information from our ongoing monitoring, research, and communications with partners, we update the security advisory with that information. So for example, we made an update last night to the advisory after our ongoing research found that “read as plain text” wasn’t a comprehensive protection for Outlook Express and would not always protect Windows Mail when forwarding or replying to the attackers’ email. We also updated the advisory to show that while the attacks are still limited, they were no longer targeted based on information from our ongoing monitoring.

When an update will be released

Our teams are actively working on a security update for this issue and we currently plan to release it as part of our regular monthly update process. That said, we are actively monitoring this situation as part of our process and will always consider releasing an out of cycle update if we have a quality update available and customers are at serious risk: we have done this before and can do it here if appropriate. However, we always try to release updates as part of our regular monthly release cycle because customers have told us that it’s easier for them to test and deploy updates when they’re released as part of a predictable process.

3rd party workarounds or updates

While we appreciate that these are provided to help protect customers, we do recommend that customers only apply security updates and mitigations provided by the original software vendor. This is because as the maker of the software, we can give our security updates and guidance thorough testing and evaluation for quality and application compatibility purposes. We’re not able to provide similar testing for independent third party security updates or mitigations.

I hope this helps answer questions people have about the situation and what we’re doing. We will continue to monitor and investigate this situation and make new information available through the MSRC weblog and our security advisory as we have it.

Thanks.

Christopher

*This posting is provided "AS IS" with no warranties, and confers no rights.* 

Published Friday, March 30, 2007 3:45 PM by MSRCTEAM

Update on ANI Exploit
Posted by Mikko @ 15:09 GMT

---

The Windows Animated Cursor Handling vulnerability – CVE-2007-1765 – is out there although we aren't getting a huge amount of customer reports. However, do be cautious over the weekend. The bad guys will be trying their best to use this exploit before Microsoft releases a patch.

Current testing indicates that this is mainly an Internet Explorer and Outlook issue. So we'd suggest using something else.

SANS Internet Storm Center has good information on mitigations and domains to block.

Source: F-Secure : News from the Lab - March of 2007

Thoughts on the TJX Data Theft

Thursday March 29, 2007 at 11:37 am CST
Posted by Allysa Myers

Trackback

More information on the subject of the TJX data theft has come to light as they have filed their annual report to the SEC. The gist is that between July 2005 and January 2007, the debit and credit card numbers from customers of a number of stores were taken by hackers who have yet to be caught. (Though people who have apparently purchased stolen credit card numbers are starting to be caught.)

Specifically, the stores in question are TJ Maxx, TK Maxx, Marshalls, Home Goods, HomeSense, AJ Wright stores, Bob’s Stores, and Winners. If you think you might have purchased or returned something to these stores in that time span, it’s a good idea to contact your bank and one of the three major credit-reporting agencies. This site has good information about what you’ll need to do.

There are also some financial institutions that have already done this for their customers, to help protect them from the sort of frauds which are already going on as a result of this. In some cases, they’ve even gone so far as to identify customers who have gone to those stores in that time span and issued the customers a new card. If that’s the case, you will have received notification from your bank explaining what has happened, and potentially a new card.

This highlights the importance of having adequate security measures in place. It is not enough to simply have up-to-date AV software, and to make sure you’re up to date on OS and application security patches. Even home users, at this point, should also have a firewall that is configured to shut off any port you’re not specifically using. This goes double for companies that might actively be targeted by hackers.  This will prevent the successful infiltration and exfiltration of the sort of targeted Trojan attacks that have become more and more popular lately.

Companies need to take extra precautions due to the extra value of data within their networks and the sheer number of people who are within it who could accidentally or intentionally compromise the network’s security. It’s important to assess your network and determine what your biggest risks are so you can minimize those risks where possible and protect the things that are most important in your organization. In the TJX incident, use of data leakage protection solutions could have been very helpful in keeping this data from being stolen. Intrusion prevention systems could also have helped prevent targeted malware from being able to perform its functions.

We’re living in a very different world now, in terms of hackers and malware. It isn’t enough to do the bare minimum and expect that you’ll probably be okay. There can be very severe consequences, especially financially, when you are careless with your own or your customer’s data. You can be confident that if you have valuable information, there will be someone trying to get into your system to find it. Perhaps they already have done so.

Source: Computer Security Research - McAfee Avert Labs Blog

* Ani cursor exploits against Microsoft E-mail clients - CVE-2007-0038

Published: 2007-03-30,
Last Updated: 2007-03-30 21:38:53 UTC
by Swa Frantzen (Version: 2)

A short overview of how the different email clients (in the supported list of Microsoft) are reacting to the animated cursor vulnerability (CVE-2007-0038, previously also CVE-2007-1765) depending on the actions and settings of the email client.

The surprising element is that "read in plain text" mode makes some of the clients more vulnerable and actually only offers real added value -for this vulnerability- for Outlook 2003.

	Default Settings	Read in plain text mode	Reply/Forward with "Read in Plain Text" set
Windows XP Outlook Express preview	Vulnerable(*)	Vulnerable	Vulnerable
Windows XP Outlook Express open	Vulnerable(*)	Vulnerable	Vulnerable
Vista Mail preview	Vulnerable		Vulnerable
Vista Mail open	Vulnerable		Vulnerable
Outlook 2003 preview	Vulnerable
Outlook 2003 open	Vulnerable
Outlook 2007 preview
Outlook 2007 open

(*) It does interact with the user before being vulnerable, but we all know what typical users would do.

--
Swa Frantzen -- NET2S

Windows Animated Cursor Handling vulnerability - CVE-2007-0038

Published: 2007-03-29,
Last Updated: 2007-03-30 21:40:50 UTC
by Maarten Van Horenbeeck (Version: 10)

Microsoft has released advisory 935423 regarding a vulnerability in Windows Animated Cursor Handling. A bug in the way Windows renders  animated cursor files can allow execution of arbitrary code under the privileges of the user that downloaded the malicious file. CVE-2007-0038 (previously also CVE-2007-1765) has been assigned to this vulnerability
Affected are Win2k SP4, XP SP2 (but not SP0 and SP1), Server 2003 and Vista. While Animated cursors are usually downloaded as .ani files, blocking these files is not sufficient to mitigate the vulnerability. We have received reports of this vulnerability being exploited in the wild using files renamed to jpeg.
McAfee has a blog entry up on this. They also have a second blog entry with a video showing windows explorer crashing in a loop on windows vista when dropping a malicious animated cursor on the desktop. Trend Micro is reporting here on malicious .ANI files and related links being spread over the web and through e-mail that attempt to download a trojan executable WINCF.EXE.

Mitigation:

• Microsoft is reporting that users of Internet Explorer 7 with Protection Mode are protected from active exploitation.
• E-mails opened in plaintext will not show embedded ANI files. Note that HTML attachments can still be interpreted when separately clicked upon.  [Thunderbird | Outlook & 2.0].
• Anti-virus detection is improving now, with F-Secure, CA, Kaspersky, Trend, Sophos, McAfee and Microsoft detecting malicious ANI files. One specific file was also discovered by a product triggering on a signature written for MS05-002, a similar vulnerability from 2005. This will not apply to most exploits in the wild.

Recent mitigation updates:

• Microsoft has now confirmed that:
  • Outlook 2007 users are protected (as the tool uses Word to display HTML messages);
  • Users of Windows Mail on Vista are protected if they do not forward or reply to malicious e-mail;
  • Outlook Express users remain vulnerable even when reading e-mail as plaintext.
• Eeye has released an unofficial patch that you may wish to consider

The vulnerability has been added to our missing microsoft patches table.

References:

CVE 2007-1765 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1765

A good write-up and analysis of one ani exploit in action:
http://www.mnin.org/write/ani-notes.pdf
Arbor Network's write-up:
http://asert.arbornetworks.com/2007/03/any-ani-file-could-infect-you/

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

Detecting and filtering out windows animated cursor exploitation attempts

Published: 2007-03-30,
Last Updated: 2007-03-30 21:19:28 UTC
by donald smith (Version: 3)

I recommend a defense in depth approach. Do not rely on just one level of detection or filtering use as many as feasible.

Antivirus:
Many commercial Antivirus products detect some or all of these exploits.
Make sure your Antivirus engine and signatures are up to date.
That will greatly increases your chances of blocking an exploit.

IDS rules:
There was a typo in the Bleeding Edge Snort rule it is corrected now.
Updated Bleeding Edge Snort IDS rule for the currently observed JPEG renamed ANIs is available here.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”BLEEDING-EDGE CURRENT EVENTS MS ANI exploit”; flow:established,from_server; content:”|54 53 49 4C 03 00 00 00 00 00 00 00 54 53 49 4C 04 00 00 00 02 02 02 02 61 6E 69 68 52|”; classtype:attempted-admin; reference:url,http://isc.sans.org/diary.html?storyid=2534; reference:url,http://www.avertlabs.com/research/blog/?p=233; reference:url,doc.bleedingthreats.net/2003519; sid:2003519; rev:1;)

From sourcefire this rule is in all VRT certified rulesets, including the free ruleset, and has been out since Jan 2005 latest version available here.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft ANI file parsing overflow"; flow:established,from_server; content:"RIFF"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative,little; reference:cve,2004-1049; classtype:attempted-user; sid:3079; rev:3;)

Several other commercial filtering products detects these exploit attempts.
Once again updated signatures and engines will increase your chances of detecting them.

Based on the similarities I have seen between exploits there is probably a tool that creates the ani exploits so domain blocking or blocking based on MD5s has have value but may be difficult to manage and maintain.
I would still recommend blocking the domains or MD5 being used on a router, firewall, dns where ever you can block them.
Some of these sites may be victims themselves but some of these have been serving up malware for a LONG time.
The bc0.cn site was used in the Dolphin's Superbowl infection.
Even if you do not block them you may wish to review your proxy logs for these.

Domains/IPs currently being used in exploitation:
1.520sb.cn
220.71.76.189
222.73.220.45
55880.cn
81.177.26.26
85.255.113.4
bc0.cn
client.alexa.com
count12.51yes.com
count3.51yes.com
d.77276.com
fdghewrtewrtyrew.biz
i5460.net
jdnx.movie721.cn
newasp.com.cn
s103.cnzz.com
s113.cnzz.com
ttr.vod3369.cn
uniq-soft.com
wsfgfdgrtyhgfd.net
www.04080.com
www.33577.cn
www.baidu.com
www.h3210.com
www.hackings.cn
www.koreacms.co.kr
www.macrcmedia.com
www.macrcmedia.net
www.ncph.net
www.xxx.cn
ym52099.512j.com
www.jonnyasp.com


MD5s for malware related to ANI exploitation:
6662903c99b5113b655654483ec5c0e8
5364153c076562946f3cc695a35fbf6b
73705f9a1d8530596be4be3b4cb5d16b
70982dc6ae9c4fe17997260455cda76e
4923d09707a071f7f4f7dea4814c16b9
1896b3ac193326b794da3ac766b2a2f0
894b21864bf7eb495f7bd718847b24e8
793ce59e19086c3076ca2c6ca8814dc7
744bc40fa377dad434584dc8f866d108
695d4a93454fb654689e1afb5a4ee600
629a6ba2ac575ee52a8856d856e9cf42
0222c40aecde4e0b89e5c3a6bc994f2b
88f053d01add25ff6389db21449a0190
088e93a6f4a77b4d8cc81c1adc047715
83b09c4e2555dd6275ee8cb73ad96a7a
68ec530dc46a0481d66faf27fe3c5c6c
68c675f8c4c8c3dd9527835efbaed5b1
62ed55db8277625b2e20ac43ebcd8d85
61f2bab66d112dedbe5fd753b215328f
28f431799ccf43d33239e3d5deeb7e5d
23ea608bcd1cfd319d707900d18dac20
22a7b86213cfbe53f0112a4c50a10264
8e12a8281a6c6ebdbd75c26a93e69437
8cffb9985b8550d6582f461dd90dd813
8b24d74d5a3fa86fa64d6ffc356c8152
7f4d923c14a85df003c94a99639a01f6
5b35f6b8126c15948533a6d14245d533
5a6ef31817acc798e1b22427a9273cc3
4db7f92300fed1d4567588b4026684f4
4cbb8e85812c4f07131a78b068f0eb9b
4b6a9734ebaa66c75bc8bd021b87e07d
4b2362d077261c7cd77d41ff6a527dbb
4aaa3259905846b90fbb33c040604f8f
2c7acfc5ff609a9c1f14c5b021f04617
2bebdbf7bb891653c74f089e9fbe9abc
1ca851d1f5b9a3b5c43dae971a1e3936
1b8682677af1feb67153666fad0de224
1b40e0e90ce5e7d1ff6c89e813da82a3
1a7637bb4a13d99132a97fcff50e406a
1a3880cd36e999dc1c47147095d95de2
fe461d468b00a8e29273719bfa2704f0
f6e573cf6ca3f938e2df112894ca7426
eb41d61264e4c65406565058a660a904
ea92cbea2ff4ab80aae7badffdb04dfc
e8956fcb0d85b3bf54dcf69c36294b7f
e3fcb903305f8ee5551ea66f5c096737
e1b65c759eeaeed48328017f1d449306
e0aa021e21dddbd6d8cecec71e9cf564
e00b3a3544b6204c5b8d31ed9672375c
d81e158318334879c7e1e64113f6d178
d75351ae3b70560dbbd0ef56965343a5
d41aeae4b1cdd8c42d1eb58526520150
d08f699eb6a19ad3477f22b9f3d5089d
ccb34851f859f7f1bb682a043a21d878
caf72b4024c878d13923823d2911af39
cadffee7afa59157fe4453c2b0159742
c0f68b7de2c102b17c39a54a4912cea4
ac39f0abcd0cd8d9fb39b0b086065294
abf523bb192825e9ecb3fb49e6049782
a7581135bfafb74bb838c572922aa875
a623e8bb1f1443fdebcdab3941536c83
a29595ae2c689049cdf0c5a2cdfeee90
5500e23bdcd55dfa59e5371eee815151
9b5ddaaad83d326198258064c9e6ea2d
8503418350b9e81642e2c86df5e2b577

Finally A big THANK YOU to all the people who submitted sites or binaries.

* Ani cursor exploits against Microsoft E-mail clients - CVE-2007-1765

Published: 2007-03-30,
Last Updated: 2007-03-30 13:03:47 UTC
by Swa Frantzen (Version: 2)

A short overview of how the different email clients (in the supported list of Microsoft) are reacting to the animated cursor vulnerability (CVE-2007-1765) depending on the actions and settings of the email client.

The surprising element is that read in plain text mode makes some of the clients more vulnerable and actually only offers real added value -for this vulnerability- for Outlook 2003.

	Default Settings	Read in plain text mode	Reply/Forward with "Read in Plain Text" set
Windows XP Outlook Express preview	Vulnerable(*)	Vulnerable	Vulnerable
Windows XP Outlook Express open	Vulnerable(*)	Vulnerable	Vulnerable
Vista Mail preview	Vulnerable		Vulnerable
Vista Mail open	Vulnerable		Vulnerable
Outlook 2003 preview	Vulnerable
Outlook 2003 open	Vulnerable
Outlook 2007 preview
Outlook 2007 open

(*) It does interact with the user before being vulnerable, but we all know what typical users would do.

--
Swa Frantzen -- NET2S

ANI File Exploit Has Connection With Hacked Super Bowl Site

Thursday March 29, 2007 at 11:03 pm CST
Posted by Craig Schmugar

Trackback

Another follow-up to my Unpatched Drive-By Exploit Found On The Web post.

Last month Websense reported that the official website of Dolphin Stadium, host of Super Bowl XLI, was compromised and serving malicious code.  In fact that was a massive attack affecting thousands of websites.  Those sites were injected with a script reference that pointed to exploit code.  At that time, the code exploited known vulnerabilities.

The SANS Institute did some investigating into that incident.  They posted portions of a response they received from a system admin where it was clear that a remote attacker exploited a SQL injection vulnerability to embed the malicious script.  The same script is now serving the ANI file 0-day exploit reported yesterday.  Googling the referenced script yields 113,000 results.  It’s likely that most of those sites were compromised through SQL injection vulnerabilities.  Of course many of these sites have been cleaned up, malicious references removed, but not all.

Source: Computer Security Research - McAfee Avert Labs Blog

Cursors and Icons and Exploits—Oh My!

Microsoft has released an out-of-band advisory today for a new exploit targeting a vulnerability in the way that Microsoft Windows handles animated cursor (.ani) files.

The vulnerability is caused by insufficient format validation, prior to rendering cursors, animated cursors, and icons. If successfully exploited, it will allow an attacker to perform remote code execution on the victim machine. In order to carry out an attack, the attacker would need to convince potential victims to either visit a Web site that contains a Web page that is used to exploit the vulnerability, or view a specially crafted email message or email attachment. The attacker could enable an affected system to execute code once a user has viewed a malicious Web page, previewed or read a specially crafted message, or opened a specially crafted email attachment.

While it is similar to the vulnerability described in Microsoft Security Bulletin MS05-002, this is an entirely new vulnerability. Currently, there is no patch available from Microsoft; however, according to Microsoft's advisory the following workaround will help to block potential attack vectors. From their advisory:

"Read e-mail messages in plain text format if you are using Outlook 2002 or a later version, or Outlook Express 6 SP1 or a later version, to help protect yourself from the HTML e-mail preview attack vector."

Users of Symantec products are already protected from this threat. So far, Security Response has received only a handful of submissions of the exploit. Currently, all samples have been detected as either Downloader or Trojan.Anicmoo. The submitted files are generally .ani files from malicious Web sites that have been renamed with a .jpg extension. Users are advised to ensure they have the latest security updates installed; this will help them mitigate the vulnerability until a patch is available from Microsoft. Additionally, Symantec is advising that users should avoid opening email messages from unknown or untrusted sources.

Posted by Andy Cianciotto on March 29, 2007 04:40 PM

Source: Symantec Security Response Weblog: Cursors and Icons and Exploits—Oh My!

********************************************************************
Title: Microsoft Security Advisory Notification
Issued: March 29, 2007
********************************************************************
Security Advisories Updated or Released Today
==============================================
 * Microsoft Security Advisory (935423)
  - Title: Vulnerability in Windows Animated Cursor Handling
  - http://www.microsoft.com/technet/security/advisory/935423.mspx
  - Revision Note: Advisory revised to add additional information regarding Outlook 2007 in the Mitigations Section. The Workarounds Section also updated to clarify impact and use of plain text email on Windows Mail and Outlook Express.
********************************************************************

Windows Cursor 0-Day
Written by Editor

Friday, 30 March 2007

Yesterday details of a vulnerability where released of a vulnerability in Microsoft Windows with the handling of Icons and Animated Cursors. It also seems that the vulnerability may have been connected with the compromise of the Dolphin Stadium web site last month. 

Firstly the Windows vulnerability is a memory-corruption error caused when handling malformed ANI cursor or icon files. The vulnerability can allow the execution of arbitary code on the targeted computer in the context of the user.

An attacker can exploit this vulnerability by enticing and unsuspecting user to access an HTML document which references a specially crafted ANI file. The vulnerability is present on Windows XP SP2, Windows 2003 SP1 and Windows Vista running Internet Explorer 6 and 7. It also seems that this vulnerability can be exploited via email too, with a specially crafted email. In this case Windows XP Outlook Express, Windows Vista Mail and Outlook 2003 are all being vulnerable in default settings.

The vulnerability has been acknowledged by Microsoft in an advisory along with advisories posted by eEye and CERT. The researchers at McAfee have also blogged about this vulnerability.

As to the possible connection with the hacked Dolphin Stadium web site, the hack affected a large number of sites last month. Compromised sites were injected with a script reference that pointed to exploit code. At the time, the exploit code used was for some older previously fixed vulnerabilities. However, it seems after a recent investigation by SANS the same script used in that hack is now serving the exploit code for this vulnerability.

Source: Virus.Org - Windows Cursor 0-Day

IE7.0.exe

Published: 2007-03-29,
Last Updated: 2007-03-29 22:53:38 UTC
by Swa Frantzen (Version: 1)

We've received a number of reports of spam appearing to come from "admin@microsoft.com" containing links to a file called IE7.0.exe

This is what VirusTotal has to say about it:

Antivirus	Version	Update	Result
AhnLab-V3	2007.3.30.0	20070329	-
AntiVir	7.3.1.46	20070329	TR/Proxy.Agent.CL
Authentium	4.93.8	20070329	-
Avast	4.7.936.0	20070329	-
AVG	7.5.0.447	20070329	-
BitDefender	7.2	20070329	-
CAT-QuickHeal	9.00	20070329	(Suspicious) - DNAScan
ClamAV	devel-20070312	20070329	-
DrWeb	4.33	20070329	-
eSafe	7.0.15.0	20070329	-
eTrust-Vet	30.6.3522	20070329	-
Ewido	4.0	20070329	-
F-Prot	4.3.1.45	20070328	-
F-Secure	6.70.13030.0	20070329	Virus.Win32.Grum.a
FileAdvisor	1	20070330	-
Fortinet	2.85.0.0	20070329	suspicious
Ikarus	T3.1.1.3	20070329	-
Kaspersky	4.0.2.24	20070329	Virus.Win32.Grum.a
McAfee	4995	20070329	-
Microsoft	1.2306	20070329	-
NOD32v2	2154	20070329	-
Norman	5.80.02	20070329	-
Panda