Video of the exploit in action (.WMV 3.52MB)
http://www.websensesecuritylabs.com/images/alerts/wmf-movie.wmv

Workaround (will disable Windows Picture and Fax viewer, use at your own discretion).
http://www.gameshout.com/news/122005/article2167.htm

Edit: Fixed links.

I get a blank page saying done when I click on above link????







Dell Dimension 4550,Win XP Home SP2, 2.4 GHZ P4, 512MB DDR PC2700 Ram, ATI Rage 128(32MB),Cable
Dell Inspiron 5160,Win XP Home SP2,2.8 GHZ,512MB Ram,32MB Vide

This is so cool!

I clicked the link to view the movie, & as soon as I did, I got all these popups ?
Naw, just kiddin .


@uffbros,

The first time I viewed the movie, I downloaded it to my HD first, then opened it in my video player (MPC). The second time, I clicked the link in Mozilla, which proceeded to download it into its' cache, & it opened from there into my video player.

You must be running IE. IE is locked down tight to prevent such things. You need one of those newer gecko based browsers where anything is possible .

No I use FireFox...Latest version.






Dell Dimension 4550,Win XP Home SP2, 2.4 GHZ P4, 512MB DDR PC2700 Ram, ATI Rage 128(32MB),Cable
Dell Inspiron 5160,Win XP Home SP2,2.8 GHZ,512MB Ram,32MB Vide

The video describes a notebook computer I am working on right now. Same infections, WinHound, same popups. Also disabled Symantec AV 9.0. Intelligent Updater won't work either.

This notebook was infected two weeks ago. Wonder how many have been hit with this so far.

>>>"I hit one site with a fully patched XP system last night and it was pretty intense -- it went right through and infected my machine."

That's the way it works with windows.

With tight integration, when security is broken at one point, it's broken everywhere.

You can't just tack security on to a fundamentally insecure structure and have it be effective.

Good luck with this one.

Has anyone tried the work around yet???

Is it just me? Why is it, when an exploit is reported, instead of trying to be constructive, there are always the wise guys {who want to look smarter and cooler than the rest of us} to step in and make wise-ass critical sarcastic comments that aren't in the least bit helpful or constructive? If you dislike Windows so much, use BSD or Linux, nobody is forcing you to keep this useless buggy insecure O.S. And for heavens sake, it doesn't make you a Sage to use a free alternative browser {anybody can download and install one}; sheesh; no, you are just labeling yourself a smartass in my opinion; you want to look cool and clever and better than the rest of us in the "masses" who use Windows and don't take every opportunity to blast MS {and IE, etc.} into Kingdom Come.

Is there something wrong with you? All I did is seek info on whether anyone has tried the work around. What caused your venom to flow?

He replied to your post, but I don't think it was directed towards you.

We are smarter and cooler than the rest of you if you're unable to accept the truth. Gosh, you'd think that some of you gave birth to this OS yourselves the way you take it personally when anyone criticizes it. Fact is, it deserves some criticism for bugs like this. How many more of these are there that you don't know about?

Grogan

Take it personally? Don't you Linux\Firefox users take your beloved software personally? I've seen alot of crying in here when someone puts down Firefox.

If 90% of the world's operating systems were Linux, and the other 10% were Windows, we'd be reading about all the Linux exploits in here. If I was a cracker\hacker and wanted to cause damage, why would I waste my time on that measly 10%? I wouldn't, and neither do "they". The more fish in a pond, the better chance of catching one.

Now excuse me, I'm about to give birth. Let's see...I think I'll name it..."Vista".

Sorry, but this is atrocious and it's not the first time, for that same dll even.

Just like that Firefox denial of service exploit that I ranted and cursed about because they refused to fix it until version 1.5. I had to switch to the development branch to get that problem fixed. (which didn't turn out too bad, but it still pissed me off). I give both credit and ridicule where it's due. That problem was nothing compared to this, either.

My comments were more directed at Randy than yourself, anyways. Bobguy's comments were reasonable (which is what he was reacting to), given current and past circumstances.

Grogan

The situation is that this was a known weakness for some time and should have been patched before it became exploited.

http://news.zdnet.com/2100-1009_22-5977161.html

Shelly

But this is similar to a problem with the same dll not long ago. No excuses for this. Not only that, unregistering shimgvw.dll is not acceptable for people who use the picture viewer. Like my Mom would be able to view her pictures the way she is used to without that.

It is in fact like Bobguy said. When everything interfaces with everything, and the security model is one of sewing additional arms onto an octopus, every little buglet like this allows malicious code access to the system.

Grogan

Alternate workaround that doesn't disable Picture and Fax viewer...

That registry fix looks better than unregistering the dll, at least the Microsoft picture viewer should still work.

No, I'm leaving them with Windows XP until I have a reason to have to start over. Things don't get broken for them, because I maintain it and we don't let other people on it. My parents don't do anything but email, PC banking, news, weather and financial web sites and picture/video clip viewing (my sister's web gallery) so they don't get into trouble.

Given justification, I'll install a larger hard drive (stupid, slow 20 gb fujitsu hard disk that came in the Dell PC) and I'll set up a dual boot with XP and SuSE to get them to try it a little at a time. Mom doesn't use it much anymore, but Quick Books is the only application I couldn't easily replace.

Grogan

Registry change sounds better, I've already done the unregister dll bit...if I make the registry change do I need to register the dll?

To un-unregister shimgvw.dll

would you just remove the /u from:

"regsvr32 /u shimgvw.dll" ?

>Registry change sounds better, I've already done the
>unregister dll bit...if I make the registry change do I need
>to register the dll?
>
>To un-unregister shimgvw.dll
>
>would you just remove the /u from:
>
>"regsvr32 /u shimgvw.dll" ?
>
>
>
>



1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll"
(without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process has succeeded.
Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started
when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps.
Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).

I would reregister the dll before making the registry change. Yes, this one doesn't need any arguments to register (and since it's in system32 you shouldn't need to type a path)

regsvr32 shimgvw.dll

Grogan

I was going to use Darren's registry fix. Before deleting, I clicked on the ShellImagePreview key and then Import and saved a reg file. If I delete the key (as per Darren's instructions) will running the reg file I saved put it back? Or could I just use System Restore to go back to a date before I edited the registry. Obviously I am not too familiar with registry editing. Thanks.

Yes, if you've exported the subkey to a .reg file prior to deletion, you can simply double click the .reg file to merge it back, which restores the data.

It wouldn't hurt to make a current restore point anyways (you should be doing that at intervals if you expect that mechanism to work reliably and correctly anyway)

Grogan

Thanks Grogan.

In case folks aren't aware, never use system restore to go back to a restore point frivolously. It's a last resort (well, maybe 2nd last). Always try to find settings that have changed and/or fix problems first, as you may be disappointed (which could be an understatement) by system restore.

For example, that would be ill advised for just a simple registry setting. The .reg file export is a perfectly good solution.

Grogan

Yes, I unregistered the shimgvw.dll on my machines. Like I said, Windows Picture and Fax Viewer will not open anymore until you register the .dll again.

SunBelt blog...

http://sunbeltblog.blogspot.com/2005/12/more-than-50-wmf-variants-in-wild.html

http://secunia.com/advisories/18255/

The vulnerability can also be exploited automatically when a user visits a malicious web site using Microsoft Internet Explorer.

NOTE: Exploit code is publicly available. This is being exploited in the wild. The vulnerability can also be triggered from explorer if the malicious file has been saved to a folder and renamed to other image file extensions like ".jpg", ".gif, ".tif", and ".png" etc.

The vulnerability has been confirmed on a fully patched system running Microsoft Windows XP SP2. Microsoft Windows XP SP1 and Microsoft Windows Server 2003 SP0 / SP1 are reportedly also affected. Other platforms may also be affected.

http://www.microsoft.com/technet/security/advisory/912840.mspx

Thanks. I saw this at your link...

DEP???

Dave101

"The only goddamn thing you know about the law is how to break it." Chief Lafleche

DEP stands for Data Execution Prevention. If you want to turn it off this was posted just after SP2 came out somewhere in the forum.. It certainly helped me out at the time.

===================

For those of you getting errors on different apps including explorer after installing SP2.
You can use this fix even if you computer is running great to get a little better performance.

It all seems to be a memory protection issue with the new DEP system provided with SP2. If you disabled DEP your problems will go away. Most systems don't have hardware support for DEP, so it is enabled using software support.
You can access the DEP setting here...
Control Panel/Performance & Maintenance/System/Advanced/Performance/Settings/Data Execution Prevention/

The Fix...
Under Control Panel/Performance and Maintenance/System/Advanced, Click the Settings button under "Startup and Recovery".
Click the Edit button under "System Startup" to edit the boot.ini file in Notepad.
Change /NoExecute=OptIn to /NoExecute=AlwaysOff
Save the boot.ini file and "OK" your way out of there.
Reboot you computer. If you go to Control Panel/System/Advanced/Performance/Settings/Data Execution Prevention, the DEP setting will be grayed out.

My understanding is that PCs with AMD cpu's don't support DEP and you can't enable it on them.

Software DEP, yes. Hardware DEP, no.

Didn't know there was a SW.

It appears that for IE users (& users of Google's Desktop), that this is just a drive by disaster waiting to happen. Ie, you drive by one of the malware sites with IE & you are infected. Period.

With (later) versions of Mozilla/Firefox, you would be prompted to download the file (of which you would obviously not), in which case you may be infected. Older versions of Firefox supposedly are affected by this.

With current versions of Mozilla, opening a .WMF file causes it to open in your media player (Media Player Classic) in my case. Neither WMP nor MPC are affected by this.

Rename a text file from *.TXT to *.TXT.WMF.

Drag that file into IE.
IE causes Windows Picture & Fax Viewer to open - & WP&FV is vulnerable & is what allows the malware to gain its' foothold into your system.

Drag that file into Mozilla.
Your media player should open. Your media player is not vulnerable.

Notice the difference.


Just to add a few more links:

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System
http://isc.sans.org/diary.php?rss&storyid=975

"WMF"
http://www.f-secure.com/weblog/

Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
http://www.microsoft.com/technet/security/advisory/912840.mspx

US-CERT Vulnerability Note VU#181038
http://www.kb.cert.org/vuls/id/181038

Sunbelt BLOG: New exploit blows by fully patched Windows XP systems
http://sunbeltblog.blogspot.com/2005/12/new-exploit-blows-by-fully-patched.html

The Dell computer I am working on was infected sometime before Christmas around December 18, 2005. Likely one of the first if not the first to get it.

So far, removal is going well but I have much yet to do with HijackThis. The computer has been kept offline while I used Ad-Aware, SAV 9 (not much help as the defs are not updating properly) and MSAS to do the cleanup. HJT shows signs of a reload if I don't clean it up completely. Will be on it for a while.

After cleanup, I will remove SAV 9.0 and install avast! or AVG. SAV 9.0 appears to have stopped working correctly back in May of 2005.

This system was also infected with Trojan.Infticker. Infection occurred around December 18, 2005. The reason I am sure of the dates is because I received the machine about that time and it has not been back online since.

So Should one disable the DEP and unregistered the DLL mentioned in this discussion what is the best option is the question I have right now I have DEP running and have the DLL registered.

Leave DEP enabled if it isn't causing problems. The registry fix is better than unregistering the dll.

While there is a manual fix for the Exploit, at the beginning of the link below, I would use the automatic registry hack which can also be accessed from the link below.
It works perfectly and leaves Windows Picture Viewer and Thumbnail working. That should protect you until MS comes out with a fix.

http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040699.html

>While there is a manual fix for the Exploit, at the beginning
>of the link below, I would use the automatic registry hack
>which can also be accessed from the link below.
>It works perfectly and leaves Windows Picture Viewer and
>Thumbnail working. That should protect you until MS comes out
>with a fix.
>
>http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040699.html


I enabled DEP for all essential windows programs and services. I went to link providee for REG files to for automatic hack

Thanks everyone

thanks for the reg files... much simpler for us lamers pcQ&A taking care of us, as always!

Allyn,

If it will help here is a fix for Winhound.

http://www.bleepingcomputer.com/forums/topic37384.html

PW

Thanks for the info. I was able to remove it without resorting to using smitREM. I did require SysInternal's RegDelNull to completely remove WinHound from the registry.

The DLL does exist on W2K Pro SP 4 systems here at work. Trying to identify if the dll file is registered and/or in use by Windows.

The reg hack Darren provided, lists a branch that does not exist on these systems. Most likely due to the fact that product does not exist on W2K.

Any suggestions to find out if W2K is exploitable or if its only WXP and WS2003?

I've got a Windows 2000 server in a virtual machine. I'll see if I can infect it (just have to find one of those malicious sites)

Heheh... the site shown in that demo movie clip has been shut down :lol

"Account closed due terms violation"

P.S. I've seen it said that this affects all versions of Windows, 98 and higher at all patch levels.

Grogan

From most of the security websites, they are still only saying WXP and WS2003... MS has updated their site to state everything BUT NT.

I applied Service Pack 4, Internet Explorer 6 SP1 and all critical updates to the Windows 2000 Server VM I have, and found a test file (non malicious... creates a test user on the system as proof that it got full access).

It did not work. I was prompted to download or open the file. I chose the supplied image viewers (the kodak shyte) and they just said invalid file format.

I then booted up an (up to date) Windows XP VM, and the same file triggered the behaviour without any intervention from me. While it crashed rundll32, it indeed created a user account named "test" like it was supposed to.

So I would say, this doesn't work in all Windows configurations. Maybe the deal for Windows 2000 is you need to have MSOffice installed or something, for .wmf image handling to happen in the browser.

OK, while I think this file is harmless and I'll provide a link for reference, I don't want ANYONE to try it unless they are willing and able to fix or even reformat their system. I quite simply do not care about any Windows installations in VMware virtual machines... I'd just laugh and redo it if something happened that I couldn't fix. I don't let Windows out of it's sandbox and the underlying OS is Linux.

This is a live (but supposedly non-malicious) exploit.

http://ii.net/~benwig/addtestuser.wmf

If anyone tries this, and something bad happens, don't complain to me for I will surely laugh at you

Grogan

I renamed a test1.txt document to test1.wmf and a test2.txt to test2.emf
Windows Picture and Fax viewer opened them both. I used the registry fix, so why is P&F viewer opening?

Just because of the extension and file association I would think.

Grogan

I restored that registry key and unregistered the shimgvw.dll like Microsoft advised in Microsoft Security Advisory (912840).
Published: December 28, 2005 | Updated: December 30, 2005
http://www.microsoft.com/technet/security/advisory/912840.mspx

Yep, I can confirm that the registry edit doesn't work. I tested it under XP.

Deleting the default value from:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\ShellEx\ContextMenuHandlers\ShellImagePreview

And even rebooting afterwards to be sure

Does NOT mitigate the exploit in any way. The test .wmf file still invokes the machinery, and creates the test user account like it's supposed to.

It looked good, but unfortunately doesn't work at all. It doesn't even work for context menus like I thought it might. I saved the .wmf file and right clicked and previewed, and it still executed the payload. (and created the test user account)

Grogan

Dumb question for someone like me who is reading all this and marvelling at how much you all know compared to me, especially focusing on how to fix it, but what should the average user do right now to avoid getting it in the first place while we wait for another patch? Is it safe to assume that you'll know when you get infected? (I.E, does the video demonstration happen every time?)

Dave

Dell 8300 Dimension
Pentium 4
W XP Home


www.woodenpropeller.com

Look here.

http://www.bleepingcomputer.com/forums/topic39047.html

PW

You can unregister the specific DLL that implements the vulnerable code from the system using a command line program.

To disable the DLL click Start, then Run, then enter the following command:

regsvr32 /u shimgvw.dll

To re-enable the same DLL:

Start, then Run, then enter the following command:

regsvr32 shimgvw.dll

Thanks. I think that's what the program the pwgib linked to does. It just allows you to leave an icon for the "switch" on your desktop, so you can switch it off, then on as you need it.

I installed that. Now I wonder how long it takes for MS to come up with a patch?

Dave

Dell 8300 Dimension
Pentium 4
W XP Home


www.woodenpropeller.com

That's what I suspected. Does it have any CLSID's? I wonder if Spyware Blaster can block it? Maybe I'll visit the Spyware Blaster forum and see.

http://securityreason.com/exploitalert/196

.....for the expolit code.

Btw... if you folks update your antivirus software, it should stop this cold as well. I had to disable Antivir to play with this

Grogan

Yeah. avast has it covered, especially if you run the Web Shield.

I disabled the shimgvw.dll as per the above instructions and one effect it had was to make all my JPGs show as simple icons rather than thumbnails of the actual picture...I use Irfanview as my default viewer. I re-enabled the .DLL and the thumbnails are again working. Anyone else have this occur?

Yes, that is one of the effects of un-registering the DLL.

By the way what I have read here un-registering the DLL does not have any effect on the potential problem. As posted by DARREN

I restored that registry key and unregistered the shimgvw.dll like Microsoft advised in Microsoft Security Advisory (912840).
Published: December 28, 2005 | Updated: December 30, 2005
http://www.microsoft.com/technet/security/advisory/912840.mspx

No, the registry edit of removing a default value in a subkey (as opposed to unregistering the dll with regsvr32) does not work.

Unregistering the dll does indeed take care of the problem as expected (I tested that also), but at the cost of crippling image handling in Windows.

Grogan

>Yeah. avast has it covered, especially if you run the Web
>Shield.

Hey Avast's on demand scanner finds it no problem, but the real time scanner does NOT. It happily allows the file to be accessed and the code execution. Neither does the Web filter catch it.

Even when you set the resident protections to "High"

I just installed and updated Avast to test this to be sure.

Antivir stops this.

Grogan

Here is fix from Steve Gibsons Blog

http://www.hexblog.com/2005/12/wmf_vuln.html

Then I'd like to know what's going on. According to the avast Forum and an eweek article, avast has it covered. Have you tried adding those extensions to the avast scanner manually? There's also the blocker tab.

Another link from Wilders Security Forum concerning avast and others.

Anyway, I went ahead and installed Ilfak Guilfanov\'s patch. Recommended by Steve Gibson. Now all I have to do is remember to uninstall it when Microsoft releases a fix.

Ok, I installed and updated Avast again. The Web shield is set to scan all files by default and .wmf and .jpg weren't excluded. (.gif, .png and audio mime types were... I've removed the exclusions). The Web shield does not catch this file.

I added the extensions to the on access protection control for the standard shield and Avast still allows the file to run if double clicked, right clicked.

As for blocking, I don't think it's practical to block access to all image types

Yet, if I right click on the file or scan the folder it's in and scan, Avast goes off like a cannon. I've heard it said that Avast's real time protection is rather weak... evidenced by some of my clients getting infected by things that avast finds, yet when I go there an Avast manual scan or boot time scan finds them. I was just blaming it on them not keeping it up to date in a timely manner, but now I'm not so sure about that.

Get this. I renamed the .wmf to .exe and avast's on access scanner caught it right away. Rename it back to .wmf or .jpg and it doesn't catch it anymore. The extra file types are added correctly.

Try it yourself with the link I've supplied, you're all protected. (and I'm pretty sure the file is harmless anyways, I've run it probably a hundred times now in testing). My VM is NOT protected, and Avast allows the code to execute if I download or run a copy of that .wmf file.

Grogan

I tried your link and had the following pop-up. I haven't tried any other tinkering with the file.

Neil

============================================


In the computer world, there’s a right way, a wrong way, and the Mac way. The Mac way is essentially the same as the wrong way, except it’s much faster and on a much larger scale.

Attachment #1, (txt file)
Attachment #2, (jpg file)

Thank you, I hadn't tested Nod32 yet (Only place I have Nod32 is on my parents' computers and I don't experiment with those. It can make unwanted work for me heheh)

Grogan

Here's two more variants you can upload to the online jotti
scan (link above).

http://www.eskimo.com/~darren/wmfexp.jpg
http://www.eskimo.com/~darren/browsercheck.wmf

LOL... those go off just on hovering the mouse over them. I
hadn't quite noticed that before.

Avast doesn't detect either of those two at all, not even with
the manual scanner.

Antivir detects all three of them both in real time and with
its scanner.

AVG finds only my original test file, and only with a manual
scan. Not the two you posted.

This marks the end of humanity :+

Grogan

I'm testing Antivir Personal v7 RC1 and the new AntiVir heuristic engine 2 on my secondary machine. I'm more impressed with this version than I was the old. In the end, I'll probably stay with avast.
BTW, Alwil doesn't like to include generic signatures, such as needed to detect benign test files. They are including today's generic sig just to squelch negative publicity.

I haven't tried the new antivir yet. I hope it doesn't change too much.

What I like best about Antivir is:

1) They roll up a new executable every day, with the latest defs. Self contained.
2) It's simple enough to run in Safe Mode with command prompt (In fact it will even install in that mode, though it can't start its services). I can install it, say no to activating the guard, use it, and uninstall it before it can conflict with other installed antivirus software like Norton.
3) It's a most excellent scanner, especially if you tick the "all unwanted programs" box in settings.
4) Right now, I think it's one of the lightest of them all in terms of bloat and memory usage. Great for old computers.

Grogan

I don't know if the interface changed much, I never ran the old version. I do know v7 RC1 is supposed to support incremental updates, instead of downloading the entire core again. So far, I'm liking it. Here's some screens. Look different?

Oh yes, that's a completely different UI. It looks PC-Cillin'ish. blech (we need a puking smiley). The old ui wasn't pretty, but it was very light and simple.

I think they've done something for incremental updates on the old version too, because I noticed yesterday and today that the updates (installed downloaded executable from dec. 30) were only a few hundred kilobytes. It couldn't have downloaded the whole vdf file being that small (it's usually a 2 meg download no matter what)

Now, today at one house I used Antivir in Safe Mode/Command Prompt to do a scan and it (falsely) detected hundreds of clip art .wmf files from one of his clipart CDs as the exploit. Certain ones, not the whole whack of them. Even though I knew they were probably false detections, I told Antivir to "delete without prompting" to expediate the cleanup (the owner didn't care, he said he was going to delete the whole directory because he didn't use them). But this is not good.

Grogan

Posted on another thread but here's a temp. link for the fix and validation.

http://sunbeltblog.blogspot.com/2006/01/alternate-download-for-unofficial.html

That fix has been posted all over this forum.

>Thank you, I hadn't tested Nod32 yet (Only place I have Nod32
>is on my parents' computers and I don't experiment with those.
>It can make unwanted work for me heheh)

Trend Internet Security catches it ( your test link) right away with RealTime scanning.

I'll be patching my computers at work first thing in the morning, before downloading any mail. On the average monday I usualy have about 150 e-mails, after the long weekend it will be worse.

Shelly

>Thank you, I hadn't tested Nod32 yet (Only place I have Nod32
>is on my parents' computers and I don't experiment with those.
>It can make unwanted work for me heheh)


I hear you on that one! I already have enough problems with the computer from dad's tinkering!

Neil

============================================


In the computer world, there’s a right way, a wrong way, and the Mac way. The Mac way is essentially the same as the wrong way, except it’s much faster and on a much larger scale.

Thanks Gorgan. I'm sorry I doubted your word. I did not see that test link you had posted because Ad Muncher was set to block anything containing *.wmf
I think I'll post that link at the avast forums, if you don't mind. Can I also quote some of your findings? I also uploaded that file here...
http://virusscan.jotti.org/

>Thanks Gorgan. I'm sorry I doubted your word. I did not see
>that test link you had posted because Ad Muncher was set to
>block anything containing *.wmf
>I think I'll post that link at the avast forums, if you don't
>mind. Can I also quote some of your findings? I also uploaded
>that file here...
>http://virusscan.jotti.org/

You can quote me any time, never worry about that. Bear in mind that this is just one file though. I'm sure they aren't all crafted the same and I'm not sure what exactly the antivirus software is using as a signature. You would think that if the manual scanner finds it, and the on access scanner finds it if it's renamed to exe, that it should be found on access as a .wmf or .jpg when the software is set to scan those extensions.

btw... If the protection level is set to High for those resident protections, Avast is set to scan All Files on access.

Grogan