Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BadBIOS infected word doc


  • Please log in to reply
46 replies to this topic

#1 badBiosVictim

badBiosVictim

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 24 April 2014 - 04:33 PM

ÐÏࡱᠠ              ; þÿ                ;                þÿÿÿ        ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿýÿÿÿÿÿÿÿþÿÿÿ             +      
  
     
                                                             !   "   #   $   %   &   '   (   )   *   þÿÿÿþÿÿÿ-   .   /   0   1   2   3   4   5   6   7   8   9   :   þÿÿÿ<   þÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿR o o t   E n t r y                                             ÿÿÿÿÿÿÿÿÿÿÿÿ                                    þÿÿÿ                                                                            ÿÿÿÿÿÿÿÿÿÿÿÿ                                    þÿÿÿ                                                                            ÿÿÿÿÿÿÿÿÿÿÿÿ                                    þÿÿÿ                                                                            ÿÿÿÿÿÿÿÿÿÿÿÿ                                    þÿÿÿ           þÿÿÿþÿÿÿ                   
  
     
                                                             !   "   #   þÿÿÿ%   &   '   (   þÿÿÿ*   þÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ þÿ
  ÿÿÿÿ      À      F   Microsoft Word-Dokument
   MSWordDoc    Word.Document.8 ô9²q                                                                                               
  [        j  ñÿ j  
 D e f a u l t   S t y l e      1$ *$7$ A$ / B* OJ QJ CJ mH sH PJ nHtH^J aJ _Hÿ                              < þòÿñ <   D e f a u l t   P a r a g r a p h   F o n t     F þ F     H e a d i n g  
  ¤ð ¤x $ OJ QJ CJ PJ ^J aJ . B .     T e x t   B o d y  
  ¤  ¤x     /"    L i s t   ^J < " 2<     C a p t i o n  
  ¤x ¤x $ CJ 6aJ ]" þ B"   I n d e x   ^J 4 þ R4     c a p t i o n  
  ¤x ¤x
 6^J ]: þ b:  
 W W - c a p t i o n  
  ¤x ¤x
 6^J ], þ r,   f o o t e r  
 
Æ àÀ!   2 þ ‚2     W W - f o o t e r  
 
Æ àÀ!   .  ’.   F o o t e r  
Æ àÀ!$  . ¢.   H e a d e r  
Æ zô&$      á        ÿÿÿÿ                                                       À 
      °      
   ÿ@    á             á  P         G                                    T i m e s   N e w   R o m a n   5                                   S y m b o l   3&                                    A r i a l   G€                                   T i m e s   N e w   R o m a n   O&                                    L u c i d a   S a n s   U n i c o d e   5&                                    T a h o m a   B   Р h    Žm§Žm§ Q
       ¾     ƒ     ¾            '                                                                                                                                                                                                                                                                                                                                     0                                                                                                                                     0                                                €           ÿÿ       (I removed my name)    O c e a n   C i t y   B r a n c h O c e a n   C i t y   B r a n c h                                                                        þÿ                      à…ŸòùOh«‘ +'³Ù0     
      X      `      |       ˜      ¨       Ä  
   Р 
   Ü      è  
   ô      éý        (I removed my name)          Ocean City Branch          Normal        Ocean City Branch         2   èD  D d $m                à=ð@@                                ðf   ²
ð     
  ³
ðB        ‚     ƒ     „     A       ?    ÿÿÿ ƒ    ¿ ÿ     ð      €2  ð.D  ¼¤û+    -‘1   
D             p!ðD  ¼¤û+    -‘1  ¼¤û+    -‘1  *g         $m     z™ Ȉ' ÀC   þxœíÝxWº0àY¸°÷îý÷2Cöînïr»mš¶iÐvb’Q’%
,ff²XfKffŽíØqâ09œ4
¶MlÃÜ€cë7ű¶Ó¦±“|ïó´‘fF£#Ksæàw~€üA~TðÞùßÿÿ¸ï¿ýà/‘?ëû÷¯û7<úéÿö Ó~ü×}ÞúóŸ!?E(
#bƒß~ëwÓ¦M›;´U9°u!:dZô;ÓB~1mÖϧýié—Ó~ñówÞŸ†ùå´_ý|ÞÜi¿ìßþÎÇÓ¦¿Õ¿ÿ½¡ýïL‹þå´÷†÷O{¿Äϧ͚ý«¾£gMûõ/¦á§½ó‡iÓ1-rÚ´ÙÓ0oM‹þyß›OëOÝ_üàGCéüÉpŠðC·Û=ð™6
ÙÛ·¥ÿ #þýußýþö }G#‰ ÿùÅ‘ÿú6ûÁ~€üð‡?D~ô£!?þñ‘?û³?CþüÏÿù‹¿ø
ä/ÿò/‘Ÿüä'È_ýÕ_!ý×üô§?Eþæoþùÿïÿ!?ûÙÏ¿ýÛ¿Eþîïþùû¿ÿ{äþáüÇDþéŸþ ùçþgä_þå_ý×Eþíßþ
ù÷ÿwä?þã?ÿüÏÿDþë¿þ
ùïÿþoäþ羉üüç?Gþ÷ÿùÅ/~üò—¿D~õ«_!o½õòÿ÷ȯýkä7¿ù
òÛßþùÝï~‡üþ÷¿Gþð‡? üã‘·ß~yçw?ýéOȻヒ¼÷Þ{ÈôéÓ‘÷ß™1còÁ ~ø!òÑG!3gÎD>þøcdÖ¬YÈìÙ³‘9sæ sçÎEæÍ›‡ÌŸ? @‘   dÁ‚ÈÂ…
‘àà`$$$ 

EÂÂÂððp…B!Hdd$…DGG#111Hll,‚F£ƒ`±X$..ÁápGâã〉D„D"!d2IHH@(
B¥R†Ðét„Á` L&a±X›ÍF8Âår‡ðù|D B¡‰DˆX,F$ "•J™L†ÈårD¡P J¥Q©TˆZ­F4
¢ÕjN‡èõzÄ`0 ‰‰‰ˆÑhDL&b6›‹Å‚X­VÄf³!v»q8HRR’œœŒ¤¤¤ ©©©HZZ’žžŽddd ™™™ˆÓéD\.’••…dgg#999Hnn.’——‡äçç#Haa!RTT„#%%%Hii)RVV†”——#Hee%RUU…TWW#555Hmm-RWW‡Ô××#

Hcc#ÒÔÔ„,Z´innFZZZÖÖVdñâÅH[[ÒÞÞŽ,Y²éèè@–.]Š,[¶éììD–/_Ž¬X±Y¹r%²jÕ*dõêÕÈš5kµk×"ëÖ­CÖ¯_lذٸq#ÒÕÕ…lÚ´ Ù¼y3²eËdë֭ȶmÛíÛ·#;vì@vî܉ìÚµ
ùä“OÝ»w#{öìAöîÝ‹ìÛ·Ù¿?ràÀäàÁƒÈ¡C‡Ã‡#GŽA>ýôSäèѣȱcÇãÇ#'Nœ@Nž<‰œ:u
ùì³ÏÏ?ÿùâ‹/Ó§O#gÎœA¾üòKäìٳȹsçóçÏ#.\@.^¼ˆ\ºt ùꫯ¯¿þ¹|ù2råÊäêիȵk×ëׯ#7nÜ@nÞ¼‰Üºu
¹}û6rçÎäîݻȽ{÷û÷ï#ß|ó
òàÁäáÇȣGÇ#ÝÝÝÈ“'Ožž¤··éÏCÜ                                                                                                                                                                                                             ໹¢Å´jÇŠ
&;! €)æ˜9d~,-M•h«šìÄ  ¦M¶x¡JM&H…LidLd@üþÉN `ŠhÛvt롯~±£3Ë â«e
Z îÀd'
 0Üúü“–
‹X&Ö7î)HM¤1TzA’H¾³zµ»w²Ó ˜\û;ÊÈ*’ñð`Ã䵡Q—$̵\ªß5É) L²=—¸lðñ@yádyDl–8W߼ݼ~2 ˜tÛÐdúšÑ›NçÖnNw”-'m™œ4 ¦“'ñÞº.=·½®4­fÇËO `ªØ§Ù‰ñ¹ÃäÈ. ŠÒN¿äô  ¦Žåùæ[>wÜß}|…FÅÌ}ð’ ˜*Š˜y[}ﺰ«2…¯Qw¼Ü ¦Š'‡-¥ŸøÛÛždv’¢_fz  SIŽÙ¸Óß¾ãÅR‘jþ¶—™ ÀÔqR†ÃäøÝ»Ïgº^br  SÈES’Bî÷š4- ýòR ˜RÚ‹ÓòoøÝ»¤H'ß÷“ ˜B®Ò£Sí½ígï>i¾†ºø¥& 0u´il¦–
þöÖaù\Dƒ à
ÕªÎknºîgï¥,M<YÿR ˜:¤Ê¤Wæß;ï ÙêþËM `ʘM2Ûe12ß;„À¥)€7YÍ/Ì,óÝŸh¡­xÉ  L·«9\±Fè+æ¤\ D‡f¿ô ¦µ²¸²Äé=c7Ú¢¦¨'!E €)cc“aqYžÓžßì±#\N7Àk ^]ž|÷s<Ѷ¨k‹[/V$9 20ËÐ\ëþîo  ˜=/¤{ᆋÆÌøòÔö5É#BB¬ÍQ’L/âôàÅ{c»•ž×y·F0AŸ
‚Q¥í>Y›-.yUJ)ÀÒ¯Mj²¦¸NAóÙïéÔã_ÿ'Ÿã\½¯Mv²¥áÄ#·ûÜá臯Í'›âîTŠ*M«w´ê+vÖ)Z¢iBÒåINÖTv ,×~ó…Ÿvàß=ÞíQ”éÈáo=Õýþ¿þÕyõøýÛô´ws÷ì{Ø¿
2ˆ—äÈÒš¼ê\kN6s¼ÿù.n–I·w²S5…­F£L¬òp¢Ñ?ñs·|y¥ïß»c¼âÑâwèÜÔ‰NYÙ±xó·MÛr-óWó÷>¼wóæ[§º´}Jjùb²õFYš(ÌZw%/l®kíQw]bBRíîÉNÒ¶RÎ`2bW¾ˆS=+,O
TΛ==cÙ®=c_É&²‚>ï¼=}õ•)Ä€?ÍyõW<z|(ø§1“õÜÝ#Ââb‰hÑÑIMÔæ^»£¯“ÓX‚ê[ªPÒêw8pwò˜hnT­ÇÖcžýÄãJH³)C]É+” |<— ðÛý4þôºG†EÒe:Üxë ö>vßh²˜±
é”sÏ›¬)çêOW
?þòJÓÂ0T‹Ç 'Aâ%ºµv×òªeÙ¹.Þ¼‰³l²“3yz†ÿç÷ˆl ^JLÝDùH§K=ô<ïs=-²T]ÈWhûž”)¥¹šK§[¶T¤æéç5gf)Ùƒ–¼}ìS÷Õ[v$‹h¡Ñ|)õüó$jjúÉÈ'Kuò$¦B€]ðaÉÉJÑèΕ½5ù…U«qóð
gúd§fòÜy2nÛ¬”ωwUŒÊEVr$¤¸Æ‰¿ÍÑÔ8kF¶>'ÇH_ä®%Š¤\³^amí0

Y1fÖùœ_,Jt¼xsÕÕ1ÏÝó¤[ËdИR­ªbâIš²V|rG£³8
Vlļ÷Vû{ øúdEµ98 Gñâúuvi“zq51dv$¶p¬ã24ŒH¬X<j[9^¯¤ëü¼à‘»Û£¹ýl;ÖÖx¢£¦}S–&Œ£ñ”i:/ãñ‰¦†lS~¾v±…¢˜R&…]Å°ŽóI'È%z^EÇ¿k¼²6¤3Õ‹œ«"²cÑ«Æxaº×‰°q.—¡ŸìÄ|G½½ÏÙ ö83..#KBI J‰aqqü‰bÑè1³Gmú²Ôe”¢Û|ωõ.‘,çŠÚÊÍ{Ï·l®-
ÅÙÆ¢¡amQýê²’E©XïuŠ
¹©†¡ÖÅ‘‹ü,q4d£BÈ£S„öì‡ÏÝ(ò
8°¨˜lÎZKWÑâ罋?KB¾<•³0a$y’£­x•
oC
Þ½ÏÓOž‹IQe1—;ìéÉ„„xÿ1b ƒY±ÂÑÛ62h©Â4ý>gËB‹*Õ­«V1´Á‚ÑÅk·öm8Z\m˜» b!sùð¾+e¥¦\:•-ö¬cTªåFÓ©™3qÌ1_¹8: ¯8ôÕXG½Ú:•Žü.cllx%L1Ù‰™ò^Ü`‘B¡‘˜žœ––Ìg-ya§õÐÛ?èÙã¯kÓú̺%]mÏñ’ófŠHV¶¦­Ž[¹¥6ˬˆàûµ‡­\`ϵé^„¥J=<GÃa0êdiLÔüÖÓy.gy¨˜ÁJÂîZ탷#µ£Z㻪”v“úðèSí$'p
Ï»+ñÖø£ßøH…"Z©x–óÞ˜÷Uw“á(-ÉέÍϖ郦ĭlÊŽØz ;+®¨t$érŠ
ò²RŠ
÷ì£ùûð
.ÏÁ›—ñí†
zôU÷7ß2•ãè•Ä¦Òç‡ ¾?m&×Ý9ÜÃ7Öß©÷É<—ί:~zßíÙR…0âk?GwTdÓÚÑ'tÒ´H›Ç‘áx
G­$Ðp¡D©iÜšK³I§Þ¬/gÆÆ„=ý²£Y8¶©zÔ¼97#]Šñûj+Ù)EI]þ?Š4Œ-—†c7Œñi_)K[ÓÑ(
{Ö‡™S ·{œ~¯çó¢ÆÆ÷Ìåܸ¨æEtd]œG±¤¶ž¨MN¶Ÿ\”.Nñw½f‰MæÓ-’yÜlÚÄ'ôé9´Áb-¨-OCE°TœM/ Ý£ä&,Lr)UR*“ÕPXóf MÙ–½¾-!J€
Ú8ôø›£ûº6sÙ¾³¾^w2EÄÁl½õ–Ífˆ0e£6FÄ'°ò4«T¬¯LµR9ÂþОç?þ‚áòõ»Ô¹Á3<ßcW¾$Ú¨«~<b“¼BÃc÷Õ6l2ÖûëLý¬þíX¹Dœ¼æM˜»·g[{­š#…Ì*oPÈ÷Î_Èçç×—Í<yÒý‚nü»ÝMìÙѺp.Ñ_fû¨ÿáö9
õ›šï¿à+W¼’a-PÅYìyJ•MŽ£Mð
®^ÿ|M¢CI¡Ñx‹½ÉU┥ٌË_`'ýAa6KÓí¬˜•T˜G7¸œøØ ®yÌ×D9ºóÙóû;;µ¸|?75—+Œ½­wF@CÌ 6.dñ üàíJUB0VžÂ Š~“ÞW§ø(<nîpÞ)à‘⽚0?ų¹l©ëY%áb· cï{tÝ’%QÕù
þÕgC ‡ŸJÆ­|3¦9vï[[ÈYhFhŸ»+£·çÉ‹*{Ÿ^o|'Ùj¬wdëH=¾s€…Æñ¾Ä ¥þÚ'áñt©ùEÄŒ$ëpFÒÓ>£O´ÉÉ5¥­¾úÈŠ¢myNŽÞÒXW]·´z¥Ì0±ì[.,åd6›“…f
§&9M–lâ
˜¸õô_«vuìõY;`ð)†ÔšÜ¬â”ÌŠlK¬SÊÓÙR2œZ*âíLÿ+‡]~óþˆ˜½w6­4Æûnâó©DÚÖèÌ K© 7=ÛäŽ%˜²š>Ƀe‰F=<œë¾
žC/³äÑ¢Ó¼Þãb4ëÑ[žÆÿŒ"qQuý/’óeÁ>§ale†±Å±oÐ –K]­‰ò8,zΨvÊþœ}B—Ï·¯Œxå†äpaŠU­YèÕ 5>ÏT>ÚÑ–’*®šÃ~A
eo-7ËÌßú]ófÂÖNYúÓ¦²ÇË:$‰iÍ%Kë
¼URÅ•õUËW;°®tÛ²öe餒 ¼ÁÑB—H¸D'7Û7××æ
¥®ªE«:ÖîMS&|¦æ×Ýñ8þøŒ>ôºÏ%râèXGƽ««>ÿªgK~×Î
ËÛÉ5{»>+•S1o{_‡O‰(‚ˆÈ‘ªJ“õ–¼Ï|šBÅ,ø˜0úŽ•«&eÔ-µÙ¢‡›Uî“ÄtlÚ³ëø,K'‰ˆØrV²™ø4÷ËÉK£â+|,) §S5!OS¼+ßž¨jÞø"™oãª}Íä*›CÖ³™¯ß° ÿ\Üé¬H”KYA؃϶N o¸Õ›½èÛ¾éö\ú»XjzÝ`òö8¶Àšîà„q©
Y‹°½FW²dWAW¯Gjo/­á%çâbxr3—8g̱z®,Ã¥ñÞæÖ®–Ý%ÇåŸïZò…—FÒ¼/ÝZ¦–óe9ågFÿíclzõ™ÇËÍËw®*•ã<ÌŸÜû´¾v÷Åg.ç-PeÐk›–9µïÁÉ#{WWX¹ù »»ïԷϯ[¢f+F7Ù)Äøo„?V·ºÝkcS8-^ßÔö¬àÑ{áØÖ4!³ôà“‡×ÛU$£ÌÏèäÏu숣&G5Ê£XžšÆ±³ .[<âëëu3dqFªËNOyÚHÙŠÅeÈô.¯w°!¨*5-–ØôôuÇ—È9qzï¯ïByVqW[6p”ûP³\Ÿñ´±fR%.Íyàõ’C–(´ZCiñý_S·´VåHâðßÚZŽ,U>tï=¿çÙ`õQYF¯û¾2 b¹{=Ç®MÀú¤h1›ig Bˆ]ýϗġȺš¥BVlØÜišq_¿¥‘®d㧇F ¢J»GT$6
‚”%©É4“Ž7&Îeû?‰Qe΋;5æûô|¾J«J"ƲÐcMž'x)>‰U1º~¡€ÊÊÈ.h[;rãvE0ó̳燭9Í‹ËÛh…¿ÔÖÕ†ÉÕró®ðþ¯àÚŠéD£CÞÑyqä©ÜWw74¯Ýã¾é>â«%9äÊáiZ
!ÖWB쫲³°ðhbšI˜ú6ÍXWèÚôµû›Ø9h‚ˆssô7~±¬€/Œ
2Kœ?ÞAI;ðÐÇIKˆLÚŸGny¼Ú†ÑV{Wk×cÄ,I›U8²MêIScÿÔå4Z 
ƒíŠu,6éÃуûFÏ‹GϪu?LæƒUÉBù§åKÏ GwÖJj½Þ°èTÿ¡«U­jxwœ&uEx¦ìòb¢Ì®ž•éãã½ÞD©µ†l :ú·}å°îœ¶KñþgDD‡£…ø”¥‡úü<+wÓRøØ…EÏßöu±©Haä«ÒmI‹u,”«¯8Ç¡¡°i™V.-ŠÄQYÆ ÿÞ»N¦K窤èèxFD4jnx6äíªH^–c+R(„Ö"‹Fžï¯Õìd SRÆõ×Ã6 çÓZGbfnjFfiVÚóÔVn$´ÝŠ†/¥Þsz»€J¾èqìWåz‹€©V-qÑ¥*8ܧ#:¾~÷‘kÛGÌ—©Òåæq*éB1“‹7ì¼êîy|ÎŽŽàg¥¬C®vtHwÜYqùÂÑ©ŠeG†í?Ó8zæzÏïÖÑlÙ‰ÊL0c-7‘”RÚJáªRèïÌ
 Þâë#oËVÐãÃ0×ê’%hYú>¯–ˆã±ô„¨¤‘wñÇ«y8&ýšQ]8½=ng¼J–)ÛÆƈã÷Œh!¹DQr¢mÎW)D”%Õ’­òL“Ç}ë29œc¥ápñÃ5žb ø‡ù<¯Dw‘FY(¸ýsÁ–“i
ê³ì2†L·'‹<Ž?Ï&Egøoeymm/^|ªµ‚EÆ&tõ?-œ%B“Èd…oÑ[͆M}D£-B¾È»æáDWÛ°s¸ú~ee^ª§'•Ÿn.*Í‘‡9ܺyÁ¨aYMj>EªYt¾€eët×:Z,"
Zɳ,B<6.VÎ/?2°oÉ<š€ŸÛf–‹ˆôŒä©%žšïs&{¯{g‚^œ2V4 ÷g9Ñ‚Ìœtå²MGuœ×¹×cc¢ƒuâ3ýÏzܽ»+ èH:*ÙÇâݛҤf¹Z÷¬RKAÏöâÛPûÙòg](xQŒ\oNi4¢å$Zxä@áÃIeä¥_ñ“¨ãÎÚƒ›N­YU“=ø§r_Û
“#Þw¥hÏ“›¬ó ¤frÈ|6Š-Á©ÈT{.' 'ÆÆ„Î
¡Öû‹Šrº!Í–ÒœÓ\–ÌPð¼rÞª,ÅêQ2Oà4i-£=þa 1÷°»•b§ÚŸ66ô¸?×èµÒî
D
6ÊVÞß°YnNap<ßfCfŸº 2¼å“YèüÐÓ½‹*],œ„Î
êoÛÉ@ÍÅðŸ}·%R
×s!‚ò\¹(>ÀOÏÆkΪvå窱sj--‹EÜÈØèØØ`"Èd‹¹qRÏûžû¡Ä\=Ÿ“9N½¼…Z•D‹* =­wÍe§ÚL$—s×öÖ¥Û³òEPh$Eÿ_ýs%+yçÝÔT»ßöá^÷UFâu}r‰Øé²QeŸ¨t¶BžßߟÕ-D±™ÅÇÚܵ:¥2]O Vj|5D÷º’mcÑ'þ ~|ýõN©uÇrjbVò§~òm‰=) O—UŸè»fŸñÃÐFZ¹¯¢·{U+·Ø+–=½–X$‹óì/Ù‰cå*È¢¸#KOuˆ¢¦s²“sÒLWÝ¢ëk¬ü}½YYز¶º±¿ÎÿäFgJ¬³•EþzÔý÷Xɤ‰ôXŒ¨Œ†5ÚÓt‰5ѪÕÊÒK™znð¼9ï¤Â@ÙF?ﱸÙ^¸Öe+JŒÌ8éQ!û"ÛV†‹9k'
«L,ÝôÚ¸ %u÷ý²×0 íOkWÔF½9y»Û½%«êÃákî^“ÝïÝpùÛбwØtßÈ!‡ÏZ0OVãÞË­H¦àd¹ÝRŠ¸tdá«œ«“Œš
¾R)LSÎx!‘k^Ay"¦02"hæ¿ýÛ>{þ{¿Ÿ1ó¹ófüú½_°HæÖ”ÔŸ5N|K(
Åq
cô,^’Îà
‚(õlÍ@kàÍØp²2*"a§ûÑÍ#é Ú+³T,¬nðøs}ÅŒEê\GŠß3V¡x…F±hå¦öœ¢šB5¥ƒ‘¨0–%Ä[újÆÀ…
õÓ©y{¦ÒP3£|¦Oi°d8«›í~ßhçÖb¹cÙ[òXŸÏ7Ae':>nîÇï§
ôß+
‡Ò„l2Å_àÕk
N*)¼¼{T,±WaøL©¶t×@nvÞIÉ”æpÒŠ–=<²ñHiÍeÅo¬Ó ™ÁãuÂ3m
K¶ùªÿ{\¤eÕ7b#VŒÈη3ƒlW©07µ½wkòҊrÑ©ÛvÙräü¹ÏÔņ/ŒÈÐÛ)ô HŸop÷Ð2m™/JÚ=/¤Óz\ÉcÝâ#…T5#}Déto E åT¥³ð¨ ŽÁKô±{w«¤¹¿h¼°FžÑêvéÓ£ã¼ÓpÿkÌì …3¸Ã5ËÍɨ„Ç}U¿µF›#©Ø’IÕ£zÀÅá#×=+ï³*©,T ÏÏýØU’0^BHLàûÓß™HH
_õ!fÁ‡
ƒPs~û-©¿ì:âf#¡Y
\&Ÿ1Æ4‚/¼Tc"G›ª²¨kksú¿ÝÕr
Ç”5èÁ²u­uµ²@¹’8¢ ¿ÙÁ%ûÈë ôj0a9e;žIÏ?¸±8/+Ñ%o¨ÚèÐZ
F–"¬ÍJNÈñ5n_„ƒPQ¾hÎaß]5GjX©yŸ–Jò|íOqº¹Ë??=ó?1dñß¼7/tG¤{FEñ~õ*“Ä"¨êÿ`¦†(Qø–;žé
Èl\ÖßÚ³ŸÉ&²ŸÎA>ÞjŠ˜¬"qHPüøYYQN.CžZØS>œšœç’†™GìÝîTs”ùYM+?õllº¸·ÂÈ'Í ´¥¤Û-f“ʪò·yƒž›@”XÒW]Z2Åé*s=JçÇS2µµŸ
BïÎÕJÓ´3‡žåâhéOï?õÑŠ¢š3}ßÖõy!Ô€¹âUÛT6ªïÉCÒy¡QhôÓ†•¥Q
¦ ÍãóÐ Í:kªI“(3.ÖÚse[{2Ý´q¸µIB…3sü|æ×\ïW·>[¶Öµ04tÖü@,Ë+0J‹;[+jR™øyóÙ¨=zpk^Ä‹–…¢~Ûâo8ó†`£Ö Xì¯*/j(ÞtÓýˆËé
êžq¯IÓaäjFŒ¬s·å©²Eá>/¥^·Ñrüé³!G[]YEò¥ÙV“šÍõŠ•Ž¾Üë<=î©F½-ûšï.Úý±q
eUIñ»Æm]ñI¤:ªÑ‰ølz\dL4=,îÃX´ˆE«_ìVÅb¾’I_öõyw£Œ'xñ “½|W·Û­
áÐû›Î†>ÿeŽV§ÅM_îý"Oõ¹\~¶µLÖi»&Ñ* ó‡vôŸL!“ °N¿³qΪé<J8-.«P¡NSÊéÅþjâû›ä…\›¿ÚcÀEy+öQ~@À”4]LÁe,!ج¤?MÂ.!ANÈìÛÉ&³Øœ¡&˜leB„Ú˜j×äøhÏé#ÇE|ÈjÐÝ–D™ø®ŸKûˆZ€µêyÚÒ¦]cdÏØ(±,†ypÐÞAv4U¨7ùùȯ¹ã{Žt­ûf‹Bƒ‹@ÏEáT6•IÛ-,™IÉ—FG ðjጷb[†º
ú¿Kó|ØP‹ù/±ÇÔØ#û;N® [Ѳ"£óÁ‰üÄHJÒ³ð‹'K×$™lTÇÈ—
&ùtß¹åu™õ\ŽjÞµãÈáÚtŠ–?º{ôÀ“ïÕDÙãΰéë3OUàSzîì»;#­…³Ò»Å{¢¶
WVI9$!‹ªŠ×ñht9×à7¾ÉsëÚ“õ¹í­îB”œ'ôþïö’£u}v²Ž%tŽÌ·ÎL^_Ô( ÆO`BÖ½£rº:ÙÚß|¿(+[çŠzVºbQ5ŒÈœFÅ·;K
³»—™*‡‚ˆ“‹~C=Ÿà($4šGKf¥,Iî\ÏêÊ8™CåG\‡FÖ¶¸#)Ž‰ M¿ÕW–`R5ÑC½eåIÉ*±“«¡Ö¹} {/ó^ÿÅÜ÷ü*–K…³ü
Ö9á
Œ6}Kµg©é–V%ˆ¡K>Ü•&&ðQ2â«ç³7žÒ×*¬ÕØ„œø°œ\$mjT×íX™’·ùøŽÕåµ9:5vúo¢RJ Ú}úW˜ZVË„i¹¤¹uI¾']á3×P[Õ掲U›V¶ÑU#¾Ó3Eˌ֬Æ3#_w$_¯ªì(éñ54³>E¡ð±¼ínõ¾•ëö4¦´ÇFï©KÓ’•¼ò¯´´DSãÖ½uá©m^Áæïi‚âDò¤R¾çŽçqhýÉ6%F1‹ d‹éB^Ö¸¥ÿó›õŽF›"cûº¥¤*šì!KÔL™Õ'»
sTq3Ú'4®À”å}ߢy‹9,2>m¸Wm"1±qcµp
™‚¨ÁI-Áh¥PCÄ6øÁþ&#K”£ \ïWZÅR½ç¡ œ\:«*«/‡8¬Â1±|êˆ_9ù*<^¡GÑh ê§-¸î¢Žâ-Ï„%óD>GÑ›”€ùÓ{Có9ƒeJ>ô? 2McqÖzïq2®¡$3£:ͤaºÌ…c‡ž{=ÝÔ-¿}°~åÊ_6u$™fP‰šæ¥I‡,8¨QEˆÈÛø`à³%’Ož«³¥ˆ}l?ÕÅdÆp~]‰®¢hyaL†¨xäy0Û–´À£ cŸ5×çshÂcr®39Ý×OâjuɦÛ÷& <.®ä<šÒ«Gn=6)ùdƒûÉRf)7ÖsäÓe‰ê¨­/ùÎ!ž$ÚuÑ‚8K‘Þ²ÆgÏ…ç;w®3WæËùT}¯˜‹
N‹`.~Ù赫!A@‰Ì{JÅS‹ˆñ̼Åîë²d¨xöÓXo‡%ž3fÀöEl8sUÿÀø‡‡R1$ºÐãô.ê,:5eè‹ÈµîÔ%HIä„&¯C·GÍ“Ø9:öóÞR'àù£Û[;ÅB-jþì?³˜ÅTªR©÷ŸbÀmû‚¸Y
?HhÝ$ÍyG¡bñ›Ö¥¶ÜÜ%ÕÕ¾Fî–êS¬å®ô”²:g‘>»õû~´¾#Ëf2—ßz|óÑ wS®ÉV^T4ÔÖ0|?:¯`ˆã†¥æSˆšú{;÷-ò1ú^¾^ ð5d$ƒ—T؇ïG÷«wnغEJa4ê5Zí2p*=^z$å–ø(Éußdd®2ïîþ~­ÄÌÚ-Grô}•9¬WÀèl¾1½íÓ¾ïâkmÚêQS+ºM d¦£6-ŠäómžOn½…@S›lg&
xW]‹9N rѾºxo/Óˆd‘T¥ÃsàŽÛ½…^)œX×}Q­ÚíÞk×cQكݞðcurQñ˜QOŽh9䀡®¥ƒ)ąºÿÐ!½2ç~ú¨*9”*"µ>]•OÂèÒu!4¦^ÈUJGï¼i’3ÅlZ*…6bó7õ)꽃áý§´›ËŠHÀ'¯½úù
O\ás¢û‰Ì?1Aëªl"kzJQqñ•‹ÏAûµqc±Y³u–M7o\w?r?øB­LK)^âÕó—Ä0ƒfpõN—‹Ÿ·¶¯€ºˆgœ#èû™ò¹a>:îôT²¬xäm°zÓ"[Ÿ….U4pÌ…ž¯­ãq>‡á,ÎQ&yOgtžì¬9xkǘ§Ý%dëfÆ]™åykûÊŠ×jWØ4öÜ3Ïv=ZÆà©54×ý"Ü^_¢³iª¼£úqD¶a£"˜Ìø¬)§*9bƒý˜÷£"Žw£ˆìgòÜå
ž÷ÅéÂnäÜඓQyÊ8QOÔN¶z ã¤?q5$†ˆ¢ô°ÁbG,;¾9MGCG+Ä8Iw»;Y<®¨„DW)h¯QÍ¥±ÙhVQ¸£»o÷®¨±;,þOICð„¼\ôÑû©2Ywdì:~kJ%éNÉY[^P;vTÊ×V©H¢ÎÌ.,}pëáàé"^&–éo~屈K~4‘+ǨҲŠªÊs"âw_ÑÑh¡ýmËì$½Ðk$â“°°(‰xäðk…@^"'ñ£
¥ÝÜèªW|ƒ›¹¸päœæ¡’¯w$g
ýÞØKK¥¹_ïñèbw/š©×¯U1¿Þ,Ë\Vtì^_aüò±ÅìTæè]êÌ·:­Qañ©LÄz¹’Ÿ”ÂóßêçaSñ1‡LSìû¾xˆgv”µ>îòe©1Œˆª[£
]Ÿ)Ù¾‡v%ê-ìw–ôe“„Ø(É঎™ 6ß%³g´¶÷´°¨‰Wš’Æ8ºÎeæåöý{ûSOÀ¥pèËBý4ï™\å2¬Ñ"îò±÷{º«Ð’Y8:»ë>S™§Tú_ªÐµ „É
ŠðQ9Ï:`¤oÜ»’Õ,¹¥tŸ¿±©¯¹sJ¦)mçÚgYèÞ½ºR¿å°Ç]wu¼‚¯Jå]¨312r‰tŽ*뻌>kN$„zU+wG1£q+F]—+BJ3EÜ8çÈÒߟåݲ¦Ò¦ÕæÜ|úkÔ=Ãá’i³ÌS­«UzFÅ%zä6ºÓÓ¬ÌuÚ*
ÊÇ”i
1›1¸çTr¼T×ǵ¿¸ð‚R‘†oO<VcGjbŠÐ`ó=·«”ËÅ|WÙ‰Mš°'Žh…ë£ú™K”VÈVfºgÒâ)ƒ
S”AòxëIî.g(¨yÃ9§Ý&ð?o#ˆ‹¹âþÜÉËçʵÚ2´ÿ¸ö™¶v×â{„ÈWûÚW·x7\ŒÃÊVÈYJÎ<tdv)ö;tù¾VhrSòŠkF}1çÚÓåQÌbÙg„j‡êèÍtmUIfbZ¡‘ñQ4)´ïçñÅòŒ8jð¨"tßµl0c('X§ÉÄ*fÅŽC,à üÑï¼J·“Í9­_2•C+õkê|µ‡å‘µ·”]¢X&n MCyÕi—F¬^¦º®juÜHôG–¾‡?K'±yqAA5k_Üêb÷L²Lªž9‘ ¾:ºT+!1ÏøÚ™.Vû
«~³³:!l=wßð „Ó³#$™Cû\Jh¬ûÝ"TP4
À}ïÎl\$[áoØô°,j­Ó1< ®ˆIcËI\'¸p-'FÁ#è¤?i”ã$Úm±Q·ˆq‰’Ëé<¸ÀÄ­q¸J]sýoW•×»j=šl®ÅâÉèt÷× w4éÓ…†4E\vN3žfÚà¨xVþêívŸ
Œ¥Exõí4/`ÊÉ#ò"1!>28Ð{4Ðãä›Ðø¤çú#c£“E 8\"[)Ñ´ì3#“#¤äûÊÎ/*H1„ùD1zÄéûs;’Ÿ1⸕¥ªBµ*rxüt—ÏŽæmy’¹€,“HU™>zP¿ƒ“Ûs…ÅCB½ÝH“ò>Œó±„‹Û½™!Õf¢}íqjùtr•Áˆß÷d0¸Ï&¶0]mõS±ÞRàŒ6^5'ćÌTþÒ}“ÉÅSÙžU3oúììÊä¡ÂÕZ”€:F—ªe>èLÌ3×–yÍàñP&_5nįçµ8™ÂSô‚1äcêù¬í¾ûñèmw7Z3˜ò¢ÑÓO¢E"Ì@Õ—+ÓdڄȘÂݽOzÚŽçÈ
‹û«xCSŠ»Ý_@¢“½zÛ6ÌG“™„ánl÷ùÿ‹ˆÃ¼;#×;U©(lÈ;!¬ùè9
")’çϦćŰ+;pºwè’¾Ònd<Žó[¶tdÁç|;ót4òÕ'åyj<+<õY-¤“‡ås tc~2‡­we¤Ë»üþ­¾
<ƒL™žÔ4ñâ3;Öׇt·s´Ù8_;Úì92l¼Lin⬶»_‡ök°ðìö¥äù3£øñ}õ»¼Ðùa‘®qÇO”jl,}°¬ÄÂ35ÿsNX  ¡k©ìXÿ]¾Wû9™‰l±Uû=Åò~3øj4Jç6e‹
Fí9J–±Qû‡~B[sœ¥˜ˆˆ÷úƒüÜîÎ
]Ra9Î:ÅJð1H8ÉœÀŽ}VÚ;EFOOõ>°ùO|ïí(¬žºDÅ3É™
2—aâص6Z4F@gy¿À½A#–²UI¬I
›Öïêvo^ÜVਫª †ŠmQøðAdòÌ÷>žNÄŽú·GÉÖÓ2Mke^®Ë:~|šç7‹ÏO S&òÛmQq\‰5Þ½Æ=î•%Nè«W±©Þ.–
D®Ä¤¢{ù4†n·eø[y¾È ä&1#fcyl¦J˜»‚OcÊ×yÞ'¼uÕ$»Jx3úGÝ!fÈÅñc›« xgŽ¡åb'±é9AÜ2f˜ð­4ËäKFE¹‹A‘ÉóòNd¥1óɳ³~R»ÉªÜÄ‘¥x£LËñ>ëÚ¨Ðøg]‡Wäñl¡ãÝ·‹5ëýˆ9±¨GËÒ°¨1$!»ÄYdc¦ê >"Dô¨*õ*µÜPZ•V»²!ýñ»¿{û×o½ýÇyÍ
 š¾ž€¥SH,ůø0M⪢’+;:Kz¾Ó“U4QW3Îëa÷,8a|Í×䣭Q<>Íg£}u —¦"q×Ô—­w»¿é}Rf^êòß*úy4.ÃEÎa‹YÆæ™ï†ÓcÞtwGJVƒŽn¤¤ÓØËÿÜ÷
ʨ3çDÆbübÀ+¬<Qà=^ŒG„?+ôžÈÁD‘gβ¯èDç^ùQZ…¨m¸øpl—²™Þ'ý&$ ‡›?<”-_§“$è½V8âÞ{+0$Æ@
¦ÍŸó§ÐH>kJIfr‰v…Uç3³Sc(ÞsjIgFhSÔFÄ£ÃC#P¡oc"⌘8ž’AÉ“ñ­ž9Ò‘Z&1å|‘W& “l[ÆY:þ™*™B&ñ•?”£µFßKOݾ»¦B/c
øc8 ÉFŸ±žmM7ãªÈäø`¾A¢ÂQçÄr££+G4û[`Óa¨È­ÊNNL—+éþÒž]ÚÜ@ XÒN¿‡€WÙ'Õ¹é-#‡ñ©A#†B_Íú *f–¨s ûH¦HåWêï+3]¾z¤Šâ£hO ]ßÐXRU1ÞËwcbIÑ‘Ì {fë§Þq_ß³¹eh0æCßa]vd˜¤ &MrÓ¢/×HÞ]ˆÆGc±ñqs°J¥ÖaJ$¨b8ÉÁoõÑ“­V°ó-­>«ü/†-v4·L´^T_'æ3|ùS
R›ûmÒégc
ö»o–Äš²ÇÊ°h>C G»ÏvZ”¬ð¨p<‘ù¿ïÏaª>}ì+ÿvI™QٺǚŸl û°yU«¬MÍ°3%dôØ!>Á+ëÊöDGiþ³¶DwzX@xÔÈv¦Í³?‹RXlÇû*Æ«¦GÖÓÂù.EÇöUù½‹5óiØدµ¾.ï¬x•ÃŒòêá¬5®÷áÙ‹˜Œ€ø¸h,%6³Œ“n®i¯YÕ^Þ|üúž-v<è3ªõC÷ú2õ¸‚—¡Î^º5*küûÝ$°õš÷¢<=óDB¼Ÿ±À§Y¾T!O%3-»êŠŒ¼1ßl:&,¢öZ¾YŸðV0‘*ËT|¼0r~ØŸÈ*œTšÑåwˆ+·3kw{¢Ã_<‹-8ZYMfš5ÅÎf¿ÀÅyÀÔ²2µ5iÄt;u¤€óáÈþîƒ&:’)‹RúÛŸrc“–:;N»?évß++4åø^ýœ.J
úán5ëˆLïisÅJiún¹! Ç5çnܹ‰×5S/“ ~šCF‹Mtãåûk·íÜhßÊMM»¿7¤ý÷ÇÀÆU7c3'8Ô¦%]+òU=È“ª¸þ¦"^/ÁJTV‘¡’…$;¥®1F?÷qðd¤PeðÉîT•€ÊËN/1šÈÊÙÑs°”øÔÛ~^zlëÆuøV?{[“dEMë7j$…9ßgŽ
&×6m£dÇÓ^¹Ã1ÁRÖ¨érÐ\
›)%âM}æ~1-=ËÕrµÿ^¼%P·ù:³X¤”HC›9
Ó
‘WïÉ®ä}Ñê[;˜¢ï,ƯsŒ´­]gî÷ØXiJîË»a
R’ ;>=ÛûÔgGŠÎªykƒ¸æÀi•Þ“­{Üë
.¶ß*}Ãb4i2º
¸(aaùú±g…5KÙTËüôÌoSp4YjNŠÍ¤W3hü„ùŒÆ¨æ;—ü~Ž½f§«þx禚çÞ7/ü›¤©VYòùÀ”÷¾{w1
CŽUZ¼e”pqdQ—ÆŒ?æv·[u¹¥+ú‡AœŠã·úþuÞŒ ÒÔуÕ4“iñŽà¶ª´®ui§{‰=ÒlÞüêÍêN÷]÷¡³Î’Q…ð»úï·tñRÒê¥tÓø ÚçcÎ@¯û,繊õˆwØÒD«¨8•Â}ŒÈýör$¼x:ùéÓ«î6j…°4ë7V«
ór¬)Ö±^îWµÉ K´p´Öª%ã.Û
^e‡D6ÖÓéd\åÝQÜÎ,$| –ÇYñzbÿлCùÙmµõ_¸/•êÌ,?±4ÎéÓø8ºn¿Û¿ï=fo÷¦5Ëu¯â0å/j…Ï)áÁ½‹µ'*èã¬ï1Ìϱ“þ³‡~Ëù,«ìTÉ‹«Ç‹Ä^O
žËQKxâns.ÙÓܺªcc㢆’öÿ¯õo™@íغ¥6Mš­~£©¼Q¶™’–ÁBæz*™ˆAÞ½I›‘ÞÝ‘kä Í}?†½5eU¥m»wÙTÎe£ewdg×ÇàŠN´èÐÝ{¿/.Øåv!™c,/øóL²û7nTwªÈß9ðÌ8m?ë, I3Ç[µã!fþÛ3½&mžêìZÜرaã²[ëÐC6[›lÊLÔ)¸oÐ2¶o¨›X¦$t`´Þ-}Ž1o䈆ÞÇ×çr(˜­înUµƒ¡g]q?\›‘^SiÏÏ 5äL÷þ‡+9uÊMÎŒô*?8¾4+#:»t®VÝ8j/Òý¯÷w•¢¨ãøÝ=ž@ÉKGF3x>k!7/íùÒ×ö ¨×WÚ\v“QQï– ¼nÔQBw{wŠ»dô5ÏÔ“gŠ¯ºïè¹úczWß–E|¡½  ÙHPûçu}s£ˆŽÆpä‘ØL”÷PÀ‡+–· WºÝ{Œ¤úkU¿èóønk;À_Ãÿ‹4‘ŒÕ…Nˆó
ÈÒo"qêüèåÐÓ*Ä¢ð öä‚WÙRœ4~Æ–ëš™Qôp¦çH¦*…Ò|Áí¾ëÐpããyý=ZkËÒ

…?}ôƒ*™6›)çp)^»z¾i­R(v¸Ïå8“ÄcWµ§„çÍÀî®rRËÇ\XüåÙôîl8÷»d¾\1Å3M8bxuõýöÕf©h½û†“Ê´k¸žãùæÆFO¿ÈWŠ©Ìê)¼¥ÔÅUk–-»îºPÃãQ6øŠ‡ºn½+¿¦´*1ƒÇ7 Á+hC-ÞüââK|'aø°ód'¼²zÝ<š!Ãy51ŠÌ‡7zÞ+QT2†8ðhO^¦ž Ì?>/;’?˜z
e¦Úá+ìÚå¶öì,Α-fOõðÆì†\›$3ip¶—ïU‚<í·Êµ˜1~yø3¸øÉNx…Ý·
ËfS,º¼ú#è,9up’ÅÕU•9ElëмˆqbØZeRø™ÏxtiE*Ÿ·£—=^L‘ɵÏÀæ°Pd:•@,1a|Ìl¢woL_85Ú]ãæÌ º85Ò^=½>1QL,"_Æ7²<£ôº×Ó¸®¡É»_îÊ·
†ÚÂ'V¡½pÅ÷åß»nimŠ–s¹eŠ÷ndÄÇÓÑc‰O‰™:gïc·»çæ݇Ýce¶èˆähê”hÛ¿M`Gãñ/:hx“œÈ(X(Ná«|¦ÛE燆>¹’Q¬Væ<Oðÿ·­-õ:éÔ¯ž/¥/Y×l&š& ™D,#”"£Dp´
‡ž¿1N×b»†#yÈK²…JÃãã&PØÀ§'î
$ìßÃ0ÔÞñU{Ý2•Výt.¦»HÃÔ|¬Qöü¬‹a‹|Ä”šZ’#|Nøœ™äHMÌŠ¤"r|ì ©ãO¯8&S˜”¥ã÷ý[.%G½O±½¸XÝàóuPô‚àXnb“ju¡‘«6?x“l«Ý¢O™
?û—Cƒ£±WÜþ¼Ú•$M`ÍOK4dH•®xü2ÔzÃüN«{¾ éììBÚ˜kê0† î¥31³æÑÊ:¼{äzܳh"2qøùQ“>µäÅô{?yþq/ÝJ>•†yšžÉ/HËMÔ8lGöŽñîǧiý‘ú¦@PÄÈ(Å3 cy¬›Nrùœé˧
-š‹O믷Û(¶RÉë8dÁ§+tà\Ãp·Eï©C \vš*cÉÊ3ãdnË£¨\Ɉ¹Ž+â0ç)¦|MLQ=î/Ä3ÃBæ‘ûÞ¿²ÅnÎñ<5kgš÷|íו– #ÌOëë=ËŠZÊ›V-§gJ+øŒRÿr•´%‰>j&1fxµ}­ÅÓ©I6§ï½VµŒ,ñ|¥¡@!“
¦„-L:@Ü4²du²¼4K¬î(s¹Íes1´àï9y@I´(µUâñæàÛ¶¨x5"+…ï»À,¥8$’-ŸË,ÆÔïcýˆ©©$#wA|œkdÀ¸MÈÛ1Á yÖ1£U]ÓÂCsÆ:ä%èéujMÕ;Êœã/›€—Çw¯L&¼'±lù¾îbybŠdä†EÅIŒ ¯4ùÊ;,W
èÄÜ‘a"¯Å¢ciD|þس£ÛT"r°pÒ'¯/-²—Äé‹&9àUË“…*“2ß
­dpÙšQùCïº"…ªÞ籯£3-¶f¡ÒPѵüÐð ÄOë?ÅÄŽfŸ54ý­—œa*ùÅE"kvñÔƦ¦Ë+>ÄÒ¬Õ»6æ*ÙÛ|!K«P£Ö¢ènVT¹ü¯©ôÚÙ¹H™[ê¬É'Èùn:âÄüc|h»~>ˆ'<äK°§¹lÝ&Wf±Ïõ¸ Ss8-ÊÞ¹ñð]©,!ßç‘8²$d÷¨MŸÔè–¿ŒÔM Úª­åj«>‚iÎ^‰¢Ïè¯ßûÄÁD/œ…ö¹@÷KUØ•¹Þ µÙü/à €/}?ì%Ñ$BÒÆ­úªÉ:_¡{ÝI=º$}hi%C¼ßÇѯ«‡w/µ¤e¥dɹá³Y˜Aⱕ3QÁ¿»ÖŸAôze}O{º1Áb“kϤK+)¯(·ÊDå“œðʹµïwX~ÆÍWÝîKúâ,¡Ï»RTuó¨M÷>ÍU&w½ŒN!‡WrŒ_6é

¦Ïˆ’
-Õóøá@Ñóx08DooOµ£T›æ*ðŸú¥é~\”””o²*Uc,Ó €—^÷¥Ü ~ÚªŽœ/újÕei¥Âo|w*7uožÇˆê¥Év
íÛÆ6}EuãÙi¬ëž\?¸E9?lÎŒ_ý*ŽF±/jšyâv?zxÿQÑ;0÷ûË<­Åu}Ò'VóéѦL)™â½Ž cÙŠz[[~pSËÀ…~¨¾Ú÷J)ëcãÛ6z†B:œÓÙ6Ù·ÆÉðxh1˜M\6%8ŒÌçÓÈïjŠ»öÜyš·>î~â¾wÿîž2*ƒ¯3OtŒïÑv&W"ÒÈ£&»ž^1Ý,Nuýê|aàÙV‹sÌ×açèü¢=[Goûf“)QfÃ
ýE®Þ .Ÿ¼|é«cm9q T2Š¯çDFŽÄ4ÇÇØRïß°¢5•Ìa%賉ºp«ˆ¿dO$j™‚f5Ž$ #,OH«lvÔ
Å£ÝÛààùŒ¸¼;РÝPã¹µ1Çfƒº8Gzp¿m×ö/ö(N5'pÓ\ªX<†#¥–Xd “Ìa 
¢0M“=z²ß-4—ÉH5@¬ið\Η§ä©ÂBžtZQ©¦úœ–yÚ$Ôµy²¯)Œ
ßkú¦°^÷Ž”%µ«,ÛVfÒ[RU$LL%\D—Ê„&DšÈSÈtÉ…ê)‘ƒ~†&¤Éœ"Á´Á«‚’bÒ(XÃ㤅Tß³®Öáã·­öœÞsZŸ–¡{ìóø7ÅíYËÚO}ydii®„eÑ쉩TËÉDøh¶@g¶K¦F•ÿCg¶x¯À6ÚÅ<Â\ѳ
9G£ÏÎúÖ¬ÒÎÝžqkÓø&,Ìùq»{Îœ_´µ3¯®±©¢@ÅÑ盕¹Î\›¨3ïÂd'í©
î “ð*éËöÚ‹4ÌØ…ÏZ$/-/Ô·ø<z‹"·±2ýŽÇÖ"¾IîgFøç®Ûýõ–M»Ötn]ŸßÚ°7G®¨ÛY1é›ÏôN¡´€©¯ûÁurˆ-"–H±qQý’;O¤eµ.òèÁp_(Msy­

ÀԹⷶ"°#l#£nm7ùYð X°«Ö+€¡ÆRùRÖ¨~ÅLötn0¤·ûáD–7 ¾”¦â’猜\xÝÒRâ'ÆP-iÛF¯¹Ì›Ö–ÑaU0Uõv?s
#àßC‰A%sšÏ}ÉÜœçg0Ï®(IE™ÌóƸA˜¥üž’ Àwçf-Çò0¢:ãè¨ «ûk~¦dö ó+Õž‘Nkª³O~Oé LžÅy|IÅèMùõEI'ü^OJ§×zl<Uzp図P o'ÕbñèÌ̯+õ;r'«¨6É+~@¼ìÔ‹O `rí§%魣㠙¿¦aÉ=B¬Š-B•ç¢“Gš3Îù< ð
[f6Žž;tDáÔ·û}A
¡±$Ï6zÛÕÍR=Ä,àµs¨´3§lôàèt~~Þ
ÿ¯ØPaÙ;jÓ'{]Ì7f= Þ ]#7\:ˆg挠° ö“ÒÆÑŒã®ö[ßCâ  “«…+u Ÿ=½ÐVÄ_¾Òwxû!׋¶mè0›‡§>t;WnH:ø&Æà5·1QbK~¶F^c@bÆ’c¯7ûèæ'•ôŒöƒëÚ±,ÏÖPî5 ðê»’cÒÛLÚ9µÚp¥=ÌÒC¿ÞóË+K²[Vd.?µ<­¢8Ï™/ùìûOé« &]€×Ë¥MÍM"sÿÃE f­XƸ>þ‹v:käM5†¢F;¥8½¤³©.‹~½ÝÇ.zðŠypò`ËÚë.®¬¬çl2³ÁßÐÉ‘î¯P”ì))ÙÔU“žçX|óê÷žÊWCo÷è^36ïZ»¼kEž² ¿PY=Á‰g?io*l[np¥‰‹§Lx¤I×
ÙxÝÜ_~­{åò­GV5n;6ñ(ì'vo<~ÔýfGžàõwg×R÷¦SÛ 6! À[ï7n(   ü€š3                                                                                                                                                                            €WÆñÉN       o‚!ýþ?pÕóâ                                                                                                                                                                                                                                                                                        @    æ‰ÄÌ  @    00UQ>@    tÜ?øÎ@    tÜ?øΠ               þÿ                      ÕÍÕœ.“— +,ù®D   ÕÍÕœ.“— +,ù®\                  éý                 éý                                                                                                                                                                                                                                                                                                                                              ì¥M    ø¿      0         Caolan80                    6          Ý                             ÿÿ
      ÿÿ       ÿÿ                 ˆ    
     
                                 
                                       8   V     b             ™  „                                                                  v                                                       b     Ž   „                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             x                                                                                                                     Ù                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           (I redunated the contents of the letter I wrote.)
 
 
 
 
 
                                                                     $  N  r  Œ  ¸  ¼  Ø  Ü     0   \   `   Р  Ô   ð   ô      $  Z  ^  ¬  °  Ä  Æ  È  ê  î  €  „  ¶  À  ýøøøøø ø øøø ø ø ø ø ø ø ïýýø ø                                                                                                                                                                                                                                                                                                                           Uj    CJ aJ CJ aJ  CJ     "  P  t  Ž  º  ¼  Ú  Ü     2   ^   `   Ò   Ô   ò   ô   "  $  \  ^  ®  °  ú            õ            ð            ë            é            ç            å            ã            á            ß            Ý            Û            Ù            ×            Õ            Ó            Ñ            Ï            Í            Ë            É            Ç                                                                                         $a$   $a$   $a$   $a$ °  Æ  Ê  ì  î  ‚  „  ¸  º  ¼  ¾  À    ý            û            ù            ÷            õ            ó            ñ            ï            ê            è            æ            ä                                                                                                                                                                                                                                                                              $a$                         4 °Ð/ °à=!° "° # ° $Ï 2P  1h0p    3P  (2 0                                                                                                                                                                                                                                                                                                                                                                                                                                                                           R o o t   E n t r y                                             ÿÿÿÿÿÿÿÿ         À      F                       À
      C o m p O b j                                                       ÿÿÿÿ                                        j       O l e                                                        
  ÿÿÿÿ   ÿÿÿÿ                                              1 T a b l e                                                        ÿÿÿÿÿÿÿÿ                                      
      D a t a                                                        
  ÿÿÿÿÿÿÿÿÿÿÿÿ                                       èD      S u m m a r y I n f o r m a t i o n                           (        ÿÿÿÿ                                    $   0      W o r d D o c u m e n t                                         ÿÿÿÿÿÿÿÿÿÿÿÿ                                    ,   6      D o c u m e n t S u m m a r y I n f o r m a t i o n           8 ÿÿÿÿÿÿÿÿÿÿÿÿ                                    )   t      



BC AdBot (Login to Remove)

 


m

#2 badBiosVictim

badBiosVictim
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 24 April 2014 - 04:47 PM

The above infected LibreOffice doc file contains musical notes and many other unusual characters. I created it today offline. Hackers ultrasonically cracked my 'air gapped' laptop. They infected my Linux boxes, removable media and personal files with BadBIOS. Including this .doc file.

 

My attempts to air gap my HP Compaq computer failed. I had removed the internal wifi card, hard drive and disconnected the speakers. No bluetooth to remove. I had not realized that the dial up modem has a piezo electric two way speaker and should have been removed. I cannot remove the dial up modem which hackers converted to an acoustical modem because I had glued the screws on the back of my laptop.

 

I created a plain text file with Kwrite using a live DVD of PCLinuxOS FullMonty. I saved it on my removable media. I copied and pasted it into a LibreOffice .doc that contained a small scan of my signature.

 

I inserted my removable media into a windows computer that does not have Microsoft Word. WordPad and Notepad opened this .doc file. They don't have the functionality of opening .doc files. It has a .doc extension but is no longer a .doc file.

 

Hackers infected all my .doc files with macros and OLE2 compounds. They infected my rich text files with malicious scripts. I paid assistants to convert my .doc and .rtf files to .txt files.  I saved the LibreOffice .doc file that contained my signature to use for faxes that required my signature. I have a faxaway account.

 

Contrary to conventional wisdom, text files can become infected. Mine have. I will submit a separate thread on that.

 

I tried to copy and paste the infected .doc file in my pastebin account but it would not paste. I tried to open a new pastebin account but was emailed an invalid link.


The above infected LibreOffice doc file contains musical notes and many other unusual characters. I created it today offline. Hackers ultrasonically cracked my 'air gapped' laptop. They infected my Linux boxes, removable media and personal files with BadBIOS. Including this .doc file.


My attempts to air gap my HP Compaq computer failed. I had removed the internal wifi card, hard drive and disconnected the speakers. No bluetooth to remove. I had not realized that the dial up modem has a piezo electric two way speaker and should have been removed. I cannot remove the dial up modem which hackers converted to an acoustical modem because I had glued the screws on the back of my laptop.


I created a plain text file with Kwrite using a live DVD of PCLinuxOS FullMonty. I saved it on my removable media. I copied and pasted it into a LibreOffice .doc that contained a small scan of my signature.


I inserted my removable media into a windows computer that does not have Microsoft Word. WordPad and Notepad opened this .doc file. They don't have the functionality of opening .doc files. It has a .doc extension but is no longer a .doc file.


Hackers infected all my .doc files with macros and OLE2 compounds. They infected my rich text files with malicious scripts. I paid assistants to convert my .doc and .rtf files to .txt files. I saved the LibreOffice .doc file that contained my signature to use for faxes that required my signature. I have a faxaway account.


Contrary to conventional wisdom, text files can become infected. Mine have. I will submit a separate thread on that.


I tried to copy and paste the infected .doc file in my pastebin account but it would not paste. I tried to open a new pastebin account but was emailed an invalid link.

#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,681 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:45 AM

Posted 24 April 2014 - 05:31 PM

Hi,

 

doc/office documents are not clear text document, they are compiled. This means that if you open them with programs that can not read .doc files, they will try to "interprete" the data as best they can which usually results in a display such as the one you see above.
You will see the same type of output if you open notepad.exe in wordpad for example.

 

 

Can you upload the infected libreoffice document here please: http://www.bleepingcomputer.com/submit-malware.php?channel=100

 

regards

myrti


If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#4 badBiosVictim

badBiosVictim
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 24 April 2014 - 09:58 PM

I am uploading a LibreOffice .doc file I just created tonight. After creating, I immediately saved it. I didn't type any characters. The 'empty' file is 9 KB. That is huge! My abuser's hackers tampered with Kwrite and LibreOffice.

 

I redunated the LibreOffice file that I copied and pasted above. The size of the 'emptied' file is 10 KB. One KB larger than just creating and immediately saving a file. Though I deleted all the visible text after opening in LibreOffice, my name and prior location are visible when opened with Notepad and Wordpad. What an invasion of privacy! I will look for a .doc file that does not contain my name and post it.



#5 badBiosVictim

badBiosVictim
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 24 April 2014 - 10:06 PM

myrti, could you please send me a second link so I could upload an older .doc file? The first link only provided uploading one file.

 

It would be helpful to examine an empty file created by LibreOffice to ascertain whether LibreOffice has been tampered with. Though I am using live linux DVDs on a laptop I failed to successfully airgap, there are much evidence that the apps in the live DVD are tampered, including KWrite which is the main text editor I use.



#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,681 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:45 AM

Posted 25 April 2014 - 02:55 AM

Hi,

 

you can upload many files one after another on that link, they won't be overwritten.

 

A "normal" empty docfile will be about 10kb in size,as it already stores many things like page width, text size, text type, etc in the file even if you have not yet added any content.

 

regards myrti


If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#7 badBiosVictim

badBiosVictim
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 25 April 2014 - 01:03 PM

Virustotal and most antivirus programs are weak on detecting scripts inside text files. They report an outcome of "no infection." Whereas, a review of the log is necessary to see which files are unreadable.

 

KlamAV, xfprot and ExeFilter's logs listed .doc and rich text files they could not read. Unreadable files are unreadable either because they have infected, encrypted or corrupted.  They were not corrupted as I was able to open them and convert them into plain text files.

 

I would like to compare what a plain text editor displayed of the .doc file I created and then saved without typing anything with another member's .doc file created the same way. Are there other users of LibreOffice or OpenOffice? Could you please create a .doc file and immediately save it. Open it up with a plain text editor and paste the file? If the characters in both plain text files are different, it may be evidence of cracking.



#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,681 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:45 AM

Posted 26 April 2014 - 04:58 AM

Hi,

 

here's a sample from my PC:

Spoiler

 

This being said, as mentioned before there's really no way it's going to be identical because we use different version of libreoffice, we have saved it in different locations, we use different default settings, etc. In addition this is a compiled file, so opening it with a text editor will just lead to gibberish.

 

As a simplified example:

The file is stored as 0 and 1s, right.

Now if you open it as a text document instead of as an office document. The text editor will now take chunks of 8 "1 and 0"s and interprete it as a letter. There are many different ways to do this and you usually need to specify which type of setting you want. The text editor will assume a setting, usually utf8. So it depends also on how your text editor is set up. (I used ascii here to be able to copy it into this post)

In contrast libreoffice will first decompile the file, read the settings at the beginning of the file and only then will it start looking for chunks of  8 "1 and 0"s in a specific section of the file to find text.

 

 


Virustotal and most antivirus programs are weak on detecting scripts inside text files. They report an outcome of "no infection." Whereas, a review of the log is necessary to see which files are unreadable.

That's not quite true. Most AV are very good at detecting scripts in doc/pdfs/etc. They have to be as this is the major way of infection nowadays.

 

 

 

KlamAV, xfprot and ExeFilter's logs listed .doc and rich text files they could not read. Unreadable files are unreadable either because they have infected, encrypted or corrupted.  They were not corrupted as I was able to open them and convert them into plain text files.

I'm not quite sure what you mean here? The AV routinely scan and detect infected office files and pdfs, as these are the most common attachments to email. Now the only way an .doc can actually infect you is if there is an "executable part to it", that is a macro. In your case that's not the case because the file is empty. So there's nothing for the AVs to do. It's quite possible that they then skip the file for speed, as it can not harm your PC.

 

If you use a live-cd there's no way a file has been tampered with. CDs can only be written to once.

 

regards

myrti


If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#9 badBiosVictim

badBiosVictim
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 26 April 2014 - 09:37 AM

Myrti, thanks for creating a new .doc file with LibreOffice, opening it with a plain text editor and posting it here.

 

Myrti, I totally disagree with your conclusion: "we use different version of libreoffice, we have saved it in different locations, we use different default settings, etc. In addition this is a compiled file, so opening it with a text editor will just lead to gibberish."

 

You assumed we use different versions of LibreOffice. Yet, we have not disclosed the version. Live DVD of PCLinuxOS FullMonty has LibreOffice 4.0.2.2. What is your version? If we are using a different version, the outcome may be identical. This is easy to test. Download an older or newer version of LibreOffice, create a new .doc file, save it. Open with a plain text editor.

 

Myrti, saving a .doc file in different locations does not change the .doc file. This is easy to verify. Open a .doc file. Save it to your harddrive, flashdrive, micro sd card or burn it to a DVD. Open them with a plain text file. Do you see any difference?

 

Myrti, we could not use different default settings. Default means preinstalled. Default means not changed by the user. If we are using the same version of LibreOffice, the default settings are identical. If we are using different versions of LIbreOffice, the default settings most likely are identical. I will ask the developers of LibreOffice to comment.

 

Myrti, opening .doc file with a plain text file does not "just lead to gibberish." The characters in your .doc are very different from mine. Characters have significance. Characters could be encrypted. Yours doesn't have musical notes. Mine does. BadBIOS Infected .doc files could be playing ultrasonic musical notes through the computer's speakers.  Thereby, infecting nearby computers, tablets and smartphones and disclosing the geolocation of all of them.

 

Myrti, after you disclose the LibreOffice version you are using, I will as the developers of LibreOffice, to create a .doc file and open it in a plain text editor using the version I am using and the version you are using, if different.

 

Could members please post their libreoffice .doc content and disclose their version?

 

Myrti wrote: "Now the only way an .doc can actually infect you is if there is an "executable part to it", that is a macro."  This is not true. Doc files can also have malicious OLE2 compounds and malicious shellcode.

http://www.ufaq.org/modules.php?name=Content&pa=print_pdf&pid=202

http://blog.malwarebytes.org/intelligence/2013/08/ms-office-files/

 

Rich Text Files (RTF) and plain text files can also be infected with malicious scripts.

http://isc.sans.edu/diary/Analyzing+Malicious+RTF+Files+Using+OfficeMalScanner's+RTFScan/14092

https://www.usenix.org/legacy/event/leet10/tech/full_papers/Checkoway.pdf

 

It only makes sense that if rich text files and plain text files can be infected with malicious scripts, DOC files can be also. Myrti, limiting the attack vector of DOC files to only macros is giving false conclusions.

 

BleepingComputer should disclose the tools used to derive the conclusion whether a file is infected or not. Myrti, what did you use? Could you please post the log? Did the log say the .doc files were readable or unreadable?

 

Myrti, antivirus software focus on detecting malware in Windows operating system. Myrti, you disagreed with me that they perform an inadequate job of scanning infected .doc, rtf, PDF, jpg and music files. Almost all antivirus software did not detect that my files were infected. Whereas, Exefilter, KlamAV and xfprot did. Their logs reported numerous files as being unreadable. As I wrote before, unreadable means either (1) infected; (2) corrupted; (3) encrypted. I don't encrypt my files. My files weren't corrupted because I can open them. That leads to only one conclusion: infected.

 

Exefilter and forensic tools in live DVD REMnux are superior at detecting malicious scripts in DOC and PDF files. 

http://www.decalage.info/en/file_formats_security/pdfet

http://zeltser.com/reverse-malware/analyzing-malicious-documents.html

 

The tools in REMnux are command line. I don't know command line. Installing ExeFilter in Linux is dependent on installing python. I paid a computer geek to install Fedora on a micro SD card and install python and ExeFilter. The crackers crashed the Fedora kernel. Fedora could not reboot.

 

These are the tools BleepingComputer monitors should be using. BleepingComputer should be up to date with the most current and accurate anti malware tools. Myrti, could you please use ExeFilter and/or tools in REMnux live DVD and post their logs? If you don't wish to learn how to use the tools, could you please ask another moderator?

 

My earlier thread titled "BadBIOS infected PDF files' was not answered. Could you please ask a moderator to answer it? Thank you.



#10 badBiosVictim

badBiosVictim
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 26 April 2014 - 09:49 AM

Myrti wrote: "If you use a live-cd there's no way a file has been tampered with. CDs can only be written to once."

 

Some linux live DVDs, including Ubuntu and Puppy, have a persistent storage option on the DVD. For list of articles see:

http://www.reddit.com/r/Malware/comments/23fxaa/badbios_live_linux_dvds_persistent_storage/

 

BadBIOS infected computers float a tampered ISO. The linux boxes boot to the floating ISO, not the live DVD. See Matthew Myra comment in:

 

http://www.reddit.com/r/Malware/comments/23fxaa/badbios_live_linux_dvds_persistent_storage/

http://www.reddit.com/r/badBIOS/comments/23zbt0/badbios_creates_shadow_iso_that_is_booted_to/

 

Option in all live linux DVD to alter booting from DVD to a local drive. BadBIOS hackers tamper with live DVD booting to cause live DVD to boot to a hidden protected encrypted partition containing a tampered OS on the local drive (internal harddrive) or removable media.

 

Hackers can remotely create a multi session by burning a tampered OS on the DVD if the linux DVD was not 'sealed' after burning. Unfortunately, linux DVD burning apps such as brasero, xfburn and K3B do not offer the option to seal after burning. Thereafter, the live DVD boots to the multisession tampered OS. This is discussed in:

http://www.reddit.com/r/Malware/comments/23fxaa/badbios_live_linux_dvds_persistent_storage/



#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,681 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:45 AM

Posted 26 April 2014 - 09:55 AM

 

Myrti, we could not use different default settings. Default means preinstalled. Default means not changed by the user. If we are using the same version of LibreOffice, the default settings are identical. If we are using different versions of LIbreOffice, the default settings most likely are identical. I will ask the developers of LibreOffice to comment.

 

Default means with the settings that the OS you use it on has set.

 

 

 

Myrti, opening .doc file with a plain text file does not "just lead to gibberish." The characters in your .doc are very different from mine. Characters have significance. Characters could be encrypted. Yours doesn't have musical notes. Mine does. BadBIOS Infected .doc files could be playing ultrasonic musical notes through the computer's speakers.  Thereby, infecting nearby computers, tablets and smartphones and disclosing the geolocation of all of them.

 

Yes and I told you why. Because you used utf8 instead of cp1252, which I use.

As a suggestion, open the file again in kwrite, then click on tools, then on encoding, then on western european and then on cp1252. You will see the musical notes disappear.

 

 

 

You assumed we use different versions of LibreOffice. Yet, we have not disclosed the version. Live DVD of PCLinuxOS FullMonty has LibreOffice 4.0.2.2. What is your version? If we are using a different version, the outcome may be identical. This is easy to test. Download an older or newer version of LibreOffice, create a new .doc file, save it. Open with a plain text editor.

 

I use libreoffice 3.4 and i accidentally saced it as odt not doc. This is a doc: (I remvoed my name as well)

 

Spoiler

 

 

 

Myrti, opening .doc file with a plain text file does not "just lead to gibberish." The characters in your .doc are very different from mine. Characters have significance. Characters could be encrypted. Yours doesn't have musical notes. Mine does. BadBIOS Infected .doc files could be playing ultrasonic musical notes through the computer's speakers.  Thereby, infecting nearby computers, tablets and smartphones and disclosing the geolocation of all of them.

 

For this to be true you would need to have found a security hole in libreoffice (and openoffice and ms office so that it works on other PCs and in all versions of all these programs) that allows the textfile to be turned into sound.  It is not something the file can do by itself. The only thing that can possibly be coaxed into doing this is the application that is reading the file.

The fact that some of the random numbers generated by the compilation of the doc is now interpreted by kwrite as a unicode character of a note has no singificance. You could set it to UTF16 and everything would turn to chinese letter. That doesn't mean the Chinese are trying to get to you.

 

 

 

Myrti wrote: "Now the only way an .doc can actually infect you is if there is an "executable part to it", that is a macro."  This is not true. Doc files can also have malicious OLE2 compounds and malicious shellcode.

 

OLE2 objects are Windows specific, they do not work (without a signficant amount of tweaking and extra tools installed) on windows. Shellcode is essentially what I called macros. It's a program written into the doc file that executes specific tasks (usually upon opening the file).


If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#12 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,722 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:45 PM

Posted 26 April 2014 - 11:21 AM

FTR, the other topic referenced above is located here: http://www.bleepingcomputer.com/forums/t/532130/badbios-pdf-files-infection/

 

~ OB :cherry:


Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#13 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,701 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:11:45 PM

Posted 26 April 2014 - 06:01 PM

FTR, the other topic referenced above is located here: http://www.bleepingcomputer.com/forums/t/532130/badbios-pdf-files-infection/
 
~ OB :cherry:


Said topic has been locked due to it being for the same issue.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#14 badBiosVictim

badBiosVictim
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 28 April 2014 - 04:21 PM

I asked for comments and DOC dumps from the libreoffice forum. Thread is at

http://en.libreofficeforum.org/node/8087

 

 

Blade, Forum Administrator, wrongly closed my thread on BadBIOS infected PDF files at

http://www.bleepingcomputer.com/forums/t/532130/badbios-pdf-files-infection/

Infected PDFs are not the same issue as infected DOCs. The file structure is different. The forensic tools are

different.

 

 

I was pleased that Didier Stevens offered to conduct forensics on my PDF files. Didier Stevens teaches classes on

PDF forensics and developed PDF forensic tools. http://44con.com/training/2014/hacking-pdf.html

 

 

Blade closing my thread circumvented Didier Steven from conducting forensics on my BadBIOS infected PDF files.

Myrti, have you taken Didier Steven's class? Do you know how to use the tools he developed? Have you downloaded his

tools at http://blog.didierstevens.com/programs/pdf-tools/  If not, could you please ask Blade to reopen my PDF

thread and to notify Didier Steven that my thread has been reopened?

 

 

Diedier Stevens identified the tools he uses to conduct forensics PDF files. Myrti, I am still waiting for you to

identify the tool you used on my DOC files and to produce the log.

 

 

Blade closed my thread on concealing forensic tool and log stating I am being helped here. Yet, I am not being

helped here. You continue to refuse to answer my questions.
http://www.bleepingcomputer.com/forums/t/532349/bleepingcomputer-moderator-concealed-forensic-tool-and-log/

 

 

Myrti, I am still waiting for you to answer whether you know how to use Exefilter and the forensic DOC tools in

live REMnux DVD. I asked if you had not, to refer my thread to someone who has.

 

 

Below needs to be in this thread. I included it in the other thread because there was no reply button in this

thread:

 

 

After developers of LibreOffice comment, I need to include their comment.

 

 

On 4/25/2014, I booted offline to live PCLinuxOS FullMonty DVD and left my computer on overnight. I had logged in

as guest. This morning, the configure menu popped up and asked for the root password. I entered the root password.

LibreOffice Manager 4.0.2 popped up:

"Old startup script detected and deleted. Please run LibreOffice Manager again. If you get this message again:

 

(a) as root: remove the file: /tmp/xsulomanager

(B) as normal user: run LibreOffice manager"

 

The above is evidence that offline live DVDs have persistent storage. It is also evidence that crackers responded

to this post by altering the startup script of LibreOffice Manager. Apparently, the crackers have previously

altered the startup scripts of apps and caused the tampering to be persistent.


Edited by badBiosVictim, 28 April 2014 - 04:23 PM.


#15 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,701 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:11:45 PM

Posted 28 April 2014 - 11:46 PM

Hello,

Kindly take the time to read my entire post very carefully before replying. I have taken a great deal of time to write this for you.

I would like to take some time to clarify some things for you on multiple aspects.

First, regarding your behaviour so far at Bleeping Computer. Now, normally I would do this in a private message to save you some embarassment. But, since you have chosen to attack my staff members publicly I think that it's only appropriate I respond in public as well so that everything is out in the open.

First, you seem to think that attacking staff members here, hurling accusations at them and telling them that they are "wrong" for doing their job is acceptable in any way. Let me be frank: I will not have any member of this site abuse another member in any way. Especially not my staff. They give of their very valuable time freely to help people like you, and they are volunteers. They receive no compensation for their generosity of time and knowledge. Receiving abuse of any sort is not in their job description.

Furthermore, when you come here to post a question you are in no position to make demands of who replies to your topic, who helps you, what tools they use, what they agree or disagree to do for you, or anything. I can assure you that every one of my staff members recognizes their limitations and will not reply to a topic that they do not feel qualified to answer. I can also assure you that if one of my staff members says something, they are not talking out of their rear end. Staff here are knowledgeable in their fields of interest in varying degrees of both layman and professional capacity, and they back up their statements with experience and research. Again, they do not reply to topics they do not feel qualified to address. So, it is generally safe to say that they understand more about the topic at hand than you do. Otherwise, they would be asking the questions and you would be answering them.

I will only say this once. We are not in the business of covering up, denying legitimately needed help to people for ulterior motives, or censoring. Such things run contrary to our purpose. We are here to help with legitimate computer issues.

Your PDF topic was closed because it deals with the same root issue. You believe that you have been compromised by BadBIOS (I'll get to that later). Every other minor issue you claim is a result of that one root issue. Therefore, all discussion belongs in a single topic. If Didier Stevens wishes to reply here, then he may. Nothing is stopping him from doing so. Your other topic will not be reopened, and please do not attempt to start another one.

I would like to make myself perfectly clear. If you wish to remain welcome at Bleeping Computer, than from here on out I expect nothing less than perfect politeness from you. If you do not understand a reply, say so, and whoever is helping you will do their best to explain it more effectively. If you have questions, ask them. But do not accuse them of ignoring your question, denying you help, censoring you, or any other sort of insinuation that they are doing anything other than trying to help and/or educate you with/about your question. Because, honestly, if they were doing anything else why would they even waste their time replying to you.

***************************************************

Now, I would like to take some time to explain some things about BadBIOS to you. I will admit that I am not addressing many of your specific technical questions, for three reasons. First, there are some questions that I just don't know the answer to because I am not familiar with the inner workings of the specific programs you mention. Second, because to understand some of the things you are asking about require a long background of knowledge best learned from a book on inner computer workings or by taking a college curriculum in computer science. It would take many hours of writing to explain to you why what you are seeing is normal, even though it looks weird. Third, and most importantly, because all of your assumptions so far are based upon you being infected with BadBIOS. This is what I want to address.

For my qualifications, I currently work analyzing malicious trends in the information security field, and I have been doing so for quite some time now. Additionally, I take a great amount of time analyzing the newest developing threats. I spent quite some time reading about and considering potential threats when the article about Dragos Ruiu first surfaced in both a professional and a personal interest capacity.

First, my conclusion (which is shared by the vast majority of security professionals worldwide (Google BadBIOS to see what I'm talking about)). Then I will back it up with reasoning.

BadBIOS, as it was described as an active and proliferate threat, cannot exist. Why? Because it doesn't make any sense at all.

First let's look at what is possible about this scenario.

Ultrasonic communication: Yes, researchers have shown that it is possible to transmit information using ultrasonic wave technology over short distances. However, there are a couple of caveats.
  • The victim machine (or all victim machines in a multiple machine scenario) must already be infected with software to generate, transmit, receive, and interpret receive ultrasonically transmitted code. This technology is not something installed by default on any computer. So, if you had a truly airgapped machine (meaning it was never networked), the only way you could have this happen to you is if someone physically broke into your home and accessed your computer and installed custom built software that would run on your version and distribution of linux and interface with the drivers for your speakers and microphone.
  • Range. Ultrasonic transmission can only occur over extremely limited range before data becomes unrecognizably corrupted. We're talking distances in terms of feet (we're dealing with computer mics and speakers here, hardly precision instruments) assuming no obstructions (like a wall or window, for example)
Firmware Infection: Yes, this is theoretically possible and has been proven in lab and research environments. Yes, there is a single infection in existence (Mebromi) that targets a single BIOS brand (Award). I've never seen Mebromi. Do you know why? Because there is an inherent problem with firmware infection. It's the same problem that explains why there is such little malware for Linux and Mac OS. Limited Potential Audience. An infection with a firmware component will only work on a particular brand (and often particular version) of firmware. If that firmware isn't present, the infection isn't compatible and fails. So, it makes little sense for anyone to write firmware based malware because they would be spending a great deal of time developing something that would only potentially affect a relatively few number of people. This makes the idea of widespread distribution of firmware based malware infeasible. With today's technology, you will not see it except in targeted attacks.

Many things claimed about BadBIOS are technically feasible. However, almost none of the distinguishing characteristics are realistically implementable.

Let's step back from the technical aspects and take a look at the overall scenario. For you to be infected with BadBIOS as you claim, the following would have to be true: Someone with extreme technical knowledge (enough to land them an extremely high paying job at a government agency) has taken enough time and effort to customize a complex infection for your system specifically. Actually, two infections. One for each side of the airgap. Then, said individual obtained physical access to your machine, bypassed any authentication security you had in place, and installed these infections on your machines. To infect one person.

Let's be honest (and I am not belittling you at all here), do you really think that someone would spend that much time, money, and energy to pull this off just to infect you? For what end? Personally, I know no one would ever do something like that to me. Not because I'm so nice or kind or even because I was dangerous and scary. I'd never get attacked like that simply because I'm not nearly important enough to make it worth the effort. Anything that someone wanted from me that they could get with such a complicated attack, there are easier ways to go about getting it.

Here is one good article on BadBIOS: http://www.infoworld.com/d/security/4-reasons-badbios-isnt-real-230636

***************************************************

I will take a quick moment and attempt to explain the strange characters in your files. When you look at things in this way, there are two kinds of data in a computer system. Human readable, and machine readable. Many popular filetypes (doc, pdf, etc) contain both human readable and machine readable data. This machine readable data is not stored in a form where it is designed to be displayed in a text editor. When you open a file like this in a text editor, the editor does the best it can. However, since it's not been given data it understands, the result is random characters where it mistakenly thinks that it understands something. Exactly what characters appear can differ based on what encoding is used, what editor is being used, the format, distro and version of OS, and at times what else happens to be in memory at the time. Simply put, you cannot diagnose an infected file simply by opening it in a text editor. A better approach would be to open it in a hex editor. However, you would need to be able to read the output yourself for it to be of any use to you.

***************************************************

Additionally, you have left off at least two situations (I'm sure there are others which I have not considered) in which a file is unreadable by a program. First, when it is currently locked for read access such as when being used by some applications. Secondly, when an application is not designed to read and understand a particular file. My point here is that there are many reasons why a file might not be successfully read that do not have anything to do with infection.

***************************************************

I will abstain from replying to any other of your technical questions since I have already gone on long enough. I will leave that to anyone else who chooses to respond. I will leave you with this. myrti has already been incredibly patient with you, and I have not seen any gratitude toward her. In fact, I have seen nothing but demands and abuse. I expect that to change.

You may continue to ask questions in this topic for as long as myrti (or another contributor) is willing to answer them, provided you do so politely. Remember, you are a guest here. Not the boss, not a customer (you aren't paying us). A guest. Please don't make me step in again.

Thank you for your time; feel free to let me know if you've any questions.

~Blade
Forum Administrator

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users