Unknown svchost.exe DNS port 53 network activity

[Raffi]

William wrote:
> On 12/26/2006 10:21 PM, something possessed Raffi to write:
> > David H. Lipman wrote:
> >> From: "Raffi" <thegrizzzly@yahoo.com>
> >>
> >>
> >>
> >> | I had some time to do packet analysis using Etherial and most of the
> >> | conenctions were DNS queries and SMTP connections.
> >>
> >> | I went ahead and blocked all traffic from the PC to the ISP DNS servers
> >> | in my firewall (Comodo). The DNS server for my PC is statically defined
> >> | as the gateway router. Since the ISP DNS was no longer accessible it
> >> | rerouted the DNS queries (and/or query responses) to the gateway
> >> | router. These were a bunch of MX queries for mostly .ru domains.
> >>
> >> | Next I blocked all inbound and outbound UDP connections for svchost.exe
> >> | and services.exe. This stopped most of the traffic. After a while I
> >> | started seeing traffic to a couple of specific ip addresses
> >> | (208.66.195.78 and 62.189.194.215) which don't resolve to anything with
> >> | nslookup. I blocked these IP addresses in the firewall as well. Next
> >> | the PC started sending out a bunch of broadcasts (.255). So I blocked
> >> | outbound broadcast connections.
> >>
> >> | Next it started sending broadcast to 0.255 using the ZIP (Zone
> >> | Information Protocol) protocol. I don't think I've seen this one
> >> | before. I haven't been able to block these yet.
> >>
> >> | My guess is the PC is somehow being used as a DNS/SMTP relay. Another
> >> | guess is my svchost.exe and/or services.exe have been compromized.
> >>
> >> | As usual, any help in getting to the bottom of this would be welcome.
> >>
> >> | Raffi
> >>
> >> http://www.dnsstuff.com/tools/whois....whois.arin.net
> >>
> >> http://www.dnsstuff.com/tools/whois....4.215&email=on
> >>
> >>
> >> This is suspicious.
> >>
> >> You may have to backup the PC, wipe it and then reinstall the OS from scratch if all the
> >> csnas have come up negative.
> >>
> >> The only other option is to use anti RootKit software such as Gmer and BlackLight to find
> >> the malware. Otherwise, wipe the system.
> >>
> >> --
> >> Dave
> >> http://www.claymania.com/removal-trojan-adware.html
> >> http://www.ik-cs.com/got-a-virus.htm
> >
> > Update - I had tried a couple of rootkit detection software without
> > success and had given up. But gmer finally found it. Turns out it is a
> > rootkit. It's called Backdoor.Rustock.B. It uses the following hidden
> > data stream c:\windows\system32:lzx32.sys (c:\windows\system32:18467).
> > This Symantec website has more information:
> > http://www.symantec.com/security_res...305-99&tabid=3
> >
> > The syptoms for the rootkit are similar to what I'm experiencing. From
> > what I've read so far it might be tricky to get rid of. It seems to be
> > active in safe mode as well. I'll be searching for a way to get rid of
> > it. If there are any ideas out there, please let me know.
> >
> > Thanks for all the help.
> > Raffi
> >
> First, stay of the network with your infected PC. Secondly, Get
> PEBuilder and create a BartPE LiveCD. Use this to edit your
> registry.hiv file in order to remove the rootkit (I haven't done the
> research because my blood sugar is getting low, so you'll need to do the
> research to figure out what registry keys in registry.hiv should be
> deleted (or maybe someone else here will be nice enough to post those
> for you). Good luck.
>
> Cheers,
>
> Will

Will,

Thanks for the suggestions. I did manage to clean my system using a
tool called "rustbfix.exe". My guess is this tool disables the root kit
in the registry but doesn't actually delete the stream
(c:\windows\system32:lzx32.sys). After running the tool, I ran gmer.exe
again and had to manually delete the stream. The stream was
inaccessible before but after running the cleaning tool, I was able to
delete it.

Anyway, this little adventure took up alot of my time and hopefully
this message thread will help others get to a fix much quicker/easier.

Thanks for everyone for the help and suggestions.

Raffi

[David H. Lipman]

From: "Raffi" <thegrizzzly@yahoo.com>

| Will,

| Thanks for the suggestions. I did manage to clean my system using a
| tool called "rustbfix.exe". My guess is this tool disables the root kit
| in the registry but doesn't actually delete the stream
| (c:\windows\system32:lzx32.sys). After running the tool, I ran gmer.exe
| again and had to manually delete the stream. The stream was
| inaccessible before but after running the cleaning tool, I was able to
| delete it.

| Anyway, this little adventure took up alot of my time and hopefully
| this message thread will help others get to a fix much quicker/easier.

| Thanks for everyone for the help and suggestions.

| Raffi

That would be the following Rustock RootKit removal toool...
http://www.uploads.ejvindh.net/rustbfix.exe


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

[William]

"Raffi" <thegrizzzly@yahoo.com> wrote in
news:1167356727.668651.286010@48g2000cwx.googlegro ups.com:

>
> William wrote:
>> On 12/26/2006 10:21 PM, something possessed Raffi to write:
>> > David H. Lipman wrote:
>> >> From: "Raffi" <thegrizzzly@yahoo.com>
>> >>
>> >>
>> >>
>> >> | I had some time to do packet analysis using Etherial and most of
>> >> | the conenctions were DNS queries and SMTP connections.
>> >>
>> >> | I went ahead and blocked all traffic from the PC to the ISP DNS
>> >> | servers in my firewall (Comodo). The DNS server for my PC is
>> >> | statically defined as the gateway router. Since the ISP DNS was
>> >> | no longer accessible it rerouted the DNS queries (and/or query
>> >> | responses) to the gateway router. These were a bunch of MX
>> >> | queries for mostly .ru domains.
>> >>
>> >> | Next I blocked all inbound and outbound UDP connections for
>> >> | svchost.exe and services.exe. This stopped most of the traffic.
>> >> | After a while I started seeing traffic to a couple of specific
>> >> | ip addresses (208.66.195.78 and 62.189.194.215) which don't
>> >> | resolve to anything with nslookup. I blocked these IP addresses
>> >> | in the firewall as well. Next the PC started sending out a bunch
>> >> | of broadcasts (.255). So I blocked outbound broadcast
>> >> | connections.
>> >>
>> >> | Next it started sending broadcast to 0.255 using the ZIP (Zone
>> >> | Information Protocol) protocol. I don't think I've seen this one
>> >> | before. I haven't been able to block these yet.
>> >>
>> >> | My guess is the PC is somehow being used as a DNS/SMTP relay.
>> >> | Another guess is my svchost.exe and/or services.exe have been
>> >> | compromized.
>> >>
>> >> | As usual, any help in getting to the bottom of this would be
>> >> | welcome.
>> >>
>> >> | Raffi
>> >>
>> >> http://www.dnsstuff.com/tools/whois....08-66-195-64-1
&serv
>> >> er=whois.arin.net
>> >>
>> >> http://www.dnsstuff.com/tools/whois....4.215&email=on
>> >>
>> >>
>> >> This is suspicious.
>> >>
>> >> You may have to backup the PC, wipe it and then reinstall the OS
>> >> from scratch if all the csnas have come up negative.
>> >>
>> >> The only other option is to use anti RootKit software such as Gmer
>> >> and BlackLight to find the malware. Otherwise, wipe the system.
>> >>
>> >> --
>> >> Dave
>> >> http://www.claymania.com/removal-trojan-adware.html
>> >> http://www.ik-cs.com/got-a-virus.htm
>> >
>> > Update - I had tried a couple of rootkit detection software without
>> > success and had given up. But gmer finally found it. Turns out it
>> > is a rootkit. It's called Backdoor.Rustock.B. It uses the following
>> > hidden data stream c:\windows\system32:lzx32.sys
>> > (c:\windows\system32:18467). This Symantec website has more
>> > information:
>> > http://www.symantec.com/security_res...sp?docid=2006-
070
>> > 513-1305-99&tabid=3
>> >
>> > The syptoms for the rootkit are similar to what I'm experiencing.
>> > From what I've read so far it might be tricky to get rid of. It
>> > seems to be active in safe mode as well. I'll be searching for a
>> > way to get rid of it. If there are any ideas out there, please let
>> > me know.
>> >
>> > Thanks for all the help.
>> > Raffi
>> >
>> First, stay of the network with your infected PC. Secondly, Get
>> PEBuilder and create a BartPE LiveCD. Use this to edit your
>> registry.hiv file in order to remove the rootkit (I haven't done the
>> research because my blood sugar is getting low, so you'll need to do
>> the research to figure out what registry keys in registry.hiv should
>> be deleted (or maybe someone else here will be nice enough to post
>> those for you). Good luck.
>>
>> Cheers,
>>
>> Will
>
> Will,
>
> Thanks for the suggestions. I did manage to clean my system using a
> tool called "rustbfix.exe". My guess is this tool disables the root
> kit in the registry but doesn't actually delete the stream
> (c:\windows\system32:lzx32.sys). After running the tool, I ran
> gmer.exe again and had to manually delete the stream. The stream was
> inaccessible before but after running the cleaning tool, I was able to
> delete it.
>
> Anyway, this little adventure took up alot of my time and hopefully
> this message thread will help others get to a fix much quicker/easier.
>
> Thanks for everyone for the help and suggestions.
>
> Raffi
>

OK. Surf safely, now, and seriously, be careful with the P2P.

[Raffi]

Alun Jones wrote:
> "William" <starrwarz@g_~-clothes-~_m~more_clothes~ail.com> wrote in message
> news:70Vkh.40916$wc5.11798@newssvr25.news.prodigy. net...
> > On 12/28/2006 10:10 AM, something possessed Alun Jones to write:
> >> "William" <starrwarz@g_~-clothes-~_m~more_clothes~ail.com> wrote in
> >> message news:5Qnkh.7472$yC5.5798@newssvr27.news.prodigy.ne t...
> >>> Not necessarily. If you're just using it to illegally download music
> >>> and videos (not program executables), and you're careful about how you
> >>> play these (I wouldn't rely on Windows to launch them, for example, but
> >>> load them in Winamp, and don't let Winamp connect to Internet), than
> >>> you're more or less safe.
> >>
> >> Right, because Winamp has never had any vulnerabilities that can be
> >> exploited by badly formatted data.
> >
> > I didn't recommend Winamp because it was invulnerable, but simply because
> > its not Integrated into the OS, so that if it goes bad, the whole OS
> > doesn't suffer.
>
> It does if you're running as an administrator account.
>
> Windows (as with all computer systems I'm aware of) cannot distinguish
> between the user, and programs run on that user's behalf. If you, the user,
> run Winamp, and it loads a data file that causes execution through
> exploiting a buffer overflow, the malware inside of that data file can do
> absolutely anything to the system that you can do, with the exception of
> anything that requires your actual physical presence.
>
> So, if you're running as an administrator, it doesn't matter if you're
> loading exploits into a program that's labeled "part of the OS", or one
> that's labeled "third party shovelware", the exploit can do what it chooses.
>
> The answer, then, is to run as a restricted user account. I do it all the
> time - and when I do, my Internet Explorer runs as a restricted user account
> too. Exploits in the apps I use can still do anything I can do, but the
> damage is limited to my personal data, not the entire OS.
>
> You can even run as an administrator while forcing IE to run as a restricted
> user! [Search for "SAFER" and "SRP" and "Internet Explorer" for some
> articles, or see
> http://blogs.msdn.com/michael_howard...1/363985.aspx]
>
> Note, though, that once you've downloaded and run a piece of malware,
> whether it's an EXE or a buffer-overflowing MP3, that malware can do
> everything you can do as a user.
>
> > Additionally, while exploits may exist in Winamp when accessing
> > questionable media locally stored, In order for any real damage to be done
> > (i.e. a trojan downloader), Winamp would need to access the Internet (or
> > maybe that reched program Internet Explorer).
>
> Uh... no. Remember, Winamp - and any exploit it loads, as far as the
> operating system is concerned, _is_ you.
>
> It can start another program, it can inject itself into another program
> you're already running, or it can combine the two.
>
> > A good Firewall (like Kerio) should be able to prevent this from
> > happening.
>
> No, no it won't. Again, if you've told Kerio, or whatever, to allow _any_
> program to access the outside world, that program can be compromised by code
> you've run under any other program. So, your Winamp exploit can infect your
> Internet Explorer in memory (not on disk, unless you have rights to that),
> and pretend to be Internet Explorer in order to download its exploit - or,
> quite honestly, it can simply start up IE to fetch the rest of its code.
>
> But why would it need to do even that?
>
> How big are the media files you're "sharing"? Way bigger than most damaging
> code I could imagine. If you're downloading a video, or anything more than a
> few seconds of sound, you won't notice the increase in size that you get by
> adding some kind of malware.
>
> >>
> >> Oh. No, wait, actually it has. Several times.
> >>
> >> This is why the trend lately is to attack applications, rather than
> >> operating systems - the operating system vendors are getting much better
> >> at tracking and fixing problems, but many application vendors still have
> >> their heads in the sand - and so do many users
> > [snip]
> > I understand your sentiment. Clearly, you support Microsoft, and that's
> > fine. I don't agree with that sentiment, but everyone is entitled to
> > their own opinion.
>
> A => Z. Welcome to today's edition of "Jumping to Conclusions".
>
> >> In the abstract sense, there is no dividing line between code and data -
> >> data tells code where to go, and so acts as pseudo-code, in many cases.
> > Again, requires Internet access to download the trojan. Media itself
> > cannot contain the final executable code that infests a system with
> > malware, all it can do is exploit vulnerabilities that allow the said
> > malware to be installed.
>
> If you believe that, you've got a long way to go. There really is no other
> way to say it, but to note that you are completely wrong in that assertion.
> Media itself can quite comfortably contain the exploit and whatever code is
> going to execute after the exploit has taken over control of your system.
>
> >>> Also, more than likely, the P2P proggie you used had its own malware
> >>> (like Navaccel or something like that).
> >>
> >> Don't make the mistake of assuming that I'm talking about my own
> >> experiences with P2P - I've simply seen too many machines infected where
> >> the source of infection is traced to an overactive P2P exchanger.
> > Which is why if someone is going to use P2P, they should be advised (as
> > I'm trying to do) on how to use it safely. I'm not condoning such action,
> > but its kind of analogous to making sure your teenager has protection, you
> > don't want them to have to use it until they've matured, but they do, than
> > it'll be there for them.
>
> Best protection against catching malware from P2P is a membership at
> Blockbuster, or a Netflix subscription.
>
> Get your movies, and your tunes, from reputable sources who have a little
> skin in the game should you get infected through them.
>
> >>> Finally, some P2P proggies (such as Bittorrent) can be used safely (like
> >>> for downloading Linux distros), since even though you're downloading
> >>> from other computers, the tracker is administered by the Linux
> >>> Distribution and, to my knowledge, it's not possible yet to alter a file
> >>> or set of files once the tracker has already been posted without posting
> >>> a new torrent tracker.
> >>
> >> I'm glad you put me at ease there - after all, the main Linux distros
> >> have never been altered maliciously by hackers.
> >>
> >> Oh, wait, they have, haven't they.
> >> http://www.linuxinsider.com/story/32240.html
> >
> > What's this got to do with altering a bittorrent stream. The results
> > would have been the same rather bittorrent was used to download the distro
> > or if it was downloaded from the server. In fact, in this case, the
> > bittorrent tracker probably would have been the safer bet, since it was
> > the server (and not the torrent) that was hacked.
>
> The point is that you can only trust checksummed streams as much as you can
> trust the person who created the file and the checksum in the first place.
> Since most "sharing" of illegally copied material is done by people who
> would like to remain anonymous, you're relying on trusting someone whom you
> can't identify, and whose reputation (and reason for maintaining that
> reputation) is unverifiable.
>
> >> Cleaning a virus or trojan infection is only going to be effective if you
> >> can plug whatever hole they got in through - whether it's a hole in your
> >> behaviour, or in your apps, or in your OS. Even flattening and restoring
> >> just means that the attacker gets another chance to try the same thing at
> >> you, but this time on a system that's less cluttered with the debris of
> >> other previous attacks.
> >
> > Agrees with you here. So, with that, I hope that if the OP ultimately
> > decides to continue P2P, that he/she does so safely.
>
> That requires only loading files with hashes generated by trusted
> authorities. ("Authority" here means anyone with the right to say what is,
> or isn't, a valid copy of a file.)
>
> Downloading stolen movies and songs is not going to be safe. Not ever.
>
> Alun.
> ~~~~

Let's not assume the malware came through P2P. This stuff is all over
the Internet.

Raffi

[William]

on 29 Dec 2006, something possessed Raffi to write:

>
> Alun Jones wrote:
>> "William" <starrwarz@g_~-clothes-~_m~more_clothes~ail.com> wrote in
>> message news:70Vkh.40916$wc5.11798@newssvr25.news.prodigy. net...
>> > On 12/28/2006 10:10 AM, something possessed Alun Jones to write:
>> >> "William" <starrwarz@g_~-clothes-~_m~more_clothes~ail.com> wrote
>> >> in message news:5Qnkh.7472$yC5.5798@newssvr27.news.prodigy.ne t...
>> >>> Not necessarily. If you're just using it to illegally download
>> >>> music and videos (not program executables), and you're careful
>> >>> about how you play these (I wouldn't rely on Windows to launch
>> >>> them, for example, but load them in Winamp, and don't let Winamp
>> >>> connect to Internet), than you're more or less safe.
>> >>
>> >> Right, because Winamp has never had any vulnerabilities that can
>> >> be exploited by badly formatted data.
>> >
>> > I didn't recommend Winamp because it was invulnerable, but simply
>> > because its not Integrated into the OS, so that if it goes bad, the
>> > whole OS doesn't suffer.
>>
>> It does if you're running as an administrator account.
>>
>> Windows (as with all computer systems I'm aware of) cannot
>> distinguish between the user, and programs run on that user's behalf.
>> If you, the user, run Winamp, and it loads a data file that causes
>> execution through exploiting a buffer overflow, the malware inside of
>> that data file can do absolutely anything to the system that you can
>> do, with the exception of anything that requires your actual physical
>> presence.
>>
>> So, if you're running as an administrator, it doesn't matter if
>> you're loading exploits into a program that's labeled "part of the
>> OS", or one that's labeled "third party shovelware", the exploit can
>> do what it chooses.
>>
>> The answer, then, is to run as a restricted user account. I do it
>> all the time - and when I do, my Internet Explorer runs as a
>> restricted user account too. Exploits in the apps I use can still do
>> anything I can do, but the damage is limited to my personal data, not
>> the entire OS.
>>
>> You can even run as an administrator while forcing IE to run as a
>> restricted user! [Search for "SAFER" and "SRP" and "Internet
>> Explorer" for some articles, or see
>> http://blogs.msdn.com/michael_howard...1/363985.aspx]
>>
>> Note, though, that once you've downloaded and run a piece of malware,
>> whether it's an EXE or a buffer-overflowing MP3, that malware can do
>> everything you can do as a user.
>>
>> > Additionally, while exploits may exist in Winamp when accessing
>> > questionable media locally stored, In order for any real damage to
>> > be done (i.e. a trojan downloader), Winamp would need to access the
>> > Internet (or maybe that reched program Internet Explorer).
>>
>> Uh... no. Remember, Winamp - and any exploit it loads, as far as the
>> operating system is concerned, _is_ you.
>>
>> It can start another program, it can inject itself into another
>> program you're already running, or it can combine the two.
>>
>> > A good Firewall (like Kerio) should be able to prevent this from
>> > happening.
>>
>> No, no it won't. Again, if you've told Kerio, or whatever, to allow
>> _any_ program to access the outside world, that program can be
>> compromised by code you've run under any other program. So, your
>> Winamp exploit can infect your Internet Explorer in memory (not on
>> disk, unless you have rights to that), and pretend to be Internet
>> Explorer in order to download its exploit - or, quite honestly, it
>> can simply start up IE to fetch the rest of its code.
>>
>> But why would it need to do even that?
>>
>> How big are the media files you're "sharing"? Way bigger than most
>> damaging code I could imagine. If you're downloading a video, or
>> anything more than a few seconds of sound, you won't notice the
>> increase in size that you get by adding some kind of malware.
>>
>> >>
>> >> Oh. No, wait, actually it has. Several times.
>> >>
>> >> This is why the trend lately is to attack applications, rather
>> >> than operating systems - the operating system vendors are getting
>> >> much better at tracking and fixing problems, but many application
>> >> vendors still have their heads in the sand - and so do many users
>> > [snip]
>> > I understand your sentiment. Clearly, you support Microsoft, and
>> > that's fine. I don't agree with that sentiment, but everyone is
>> > entitled to their own opinion.
>>
>> A => Z. Welcome to today's edition of "Jumping to Conclusions".
>>
>> >> In the abstract sense, there is no dividing line between code and
>> >> data - data tells code where to go, and so acts as pseudo-code, in
>> >> many cases.
>> > Again, requires Internet access to download the trojan. Media
>> > itself cannot contain the final executable code that infests a
>> > system with malware, all it can do is exploit vulnerabilities that
>> > allow the said malware to be installed.
>>
>> If you believe that, you've got a long way to go. There really is no
>> other way to say it, but to note that you are completely wrong in
>> that assertion. Media itself can quite comfortably contain the
>> exploit and whatever code is going to execute after the exploit has
>> taken over control of your system.
>>
>> >>> Also, more than likely, the P2P proggie you used had its own
>> >>> malware (like Navaccel or something like that).
>> >>
>> >> Don't make the mistake of assuming that I'm talking about my own
>> >> experiences with P2P - I've simply seen too many machines infected
>> >> where the source of infection is traced to an overactive P2P
>> >> exchanger.
>> > Which is why if someone is going to use P2P, they should be advised
>> > (as I'm trying to do) on how to use it safely. I'm not condoning
>> > such action, but its kind of analogous to making sure your teenager
>> > has protection, you don't want them to have to use it until they've
>> > matured, but they do, than it'll be there for them.
>>
>> Best protection against catching malware from P2P is a membership at
>> Blockbuster, or a Netflix subscription.
>>
>> Get your movies, and your tunes, from reputable sources who have a
>> little skin in the game should you get infected through them.
>>
>> >>> Finally, some P2P proggies (such as Bittorrent) can be used
>> >>> safely (like for downloading Linux distros), since even though
>> >>> you're downloading from other computers, the tracker is
>> >>> administered by the Linux Distribution and, to my knowledge, it's
>> >>> not possible yet to alter a file or set of files once the tracker
>> >>> has already been posted without posting a new torrent tracker.
>> >>
>> >> I'm glad you put me at ease there - after all, the main Linux
>> >> distros have never been altered maliciously by hackers.
>> >>
>> >> Oh, wait, they have, haven't they.
>> >> http://www.linuxinsider.com/story/32240.html
>> >
>> > What's this got to do with altering a bittorrent stream. The
>> > results would have been the same rather bittorrent was used to
>> > download the distro or if it was downloaded from the server. In
>> > fact, in this case, the bittorrent tracker probably would have been
>> > the safer bet, since it was the server (and not the torrent) that
>> > was hacked.
>>
>> The point is that you can only trust checksummed streams as much as
>> you can trust the person who created the file and the checksum in the
>> first place. Since most "sharing" of illegally copied material is
>> done by people who would like to remain anonymous, you're relying on
>> trusting someone whom you can't identify, and whose reputation (and
>> reason for maintaining that reputation) is unverifiable.
>>
>> >> Cleaning a virus or trojan infection is only going to be effective
>> >> if you can plug whatever hole they got in through - whether it's a
>> >> hole in your behaviour, or in your apps, or in your OS. Even
>> >> flattening and restoring just means that the attacker gets another
>> >> chance to try the same thing at you, but this time on a system
>> >> that's less cluttered with the debris of other previous attacks.
>> >
>> > Agrees with you here. So, with that, I hope that if the OP
>> > ultimately decides to continue P2P, that he/she does so safely.
>>
>> That requires only loading files with hashes generated by trusted
>> authorities. ("Authority" here means anyone with the right to say
>> what is, or isn't, a valid copy of a file.)
>>
>> Downloading stolen movies and songs is not going to be safe. Not
>> ever.
>>
>> Alun.
>> ~~~~
>
> Let's not assume the malware came through P2P. This stuff is all over
> the Internet.

Yup. Like, for example, it could have happenned from surfing the
Internet using Internet Exploiter ;-D.

Cheers,

William

[Alun Jones]

"Raffi" <thegrizzzly@yahoo.com> wrote in message
news:1167380259.259548.76080@a3g2000cwd.googlegrou ps.com...
> Let's not assume the malware came through P2P. This stuff is all over
> the Internet.

I don't think I ever did assume that - however, it's a behaviour one should
strongly avoid if one wants to prevent malware infections. It's like surfing
to random locations on the web and running whatever ActiveX controls you
find.

Alun.
~~~~