Advisories, Vulnerabilties and Virus Alerts

[ferrarif50]

Hi Guys,

I am starting this thread to issue regular security advisories, vulnerabilites discovered and new virus threats.

I am putting this in Tutorials, since I will be posting HOWTOs to protect urself from these threats and how to patch up the vulnerabilities.

Starting with,
Yahoo toolbar makes false spyware links [ADVISORY]

Yahoo has confirmed that its recently released toolbar has mistakenly linked an alleged spyware program with a product that has nothing to do with the application in question.

A company representative said on Friday that its toolbar's Anti-Spy feature incorrectly identified alleged 'hijacker' software known as SearchCentrix as being bundled with Claria's Gator eWallet product, which is designed to manage usernames and passwords. Hijacking programs redirect search results or tamper with browser settings, according to Yahoo.

"The SearchCentrix hijacker was incorrectly identified by our application" as a component of Claria's eWallet software, a Yahoo representative said. "We have no evidence to believe that Claria's eWallet installs that software. We believe that the misidentification was due to a bug in code from our partner, PestPatrol, and are currently working with them to fix it."

A Claria representative said the company has no relationship with SearchCentrix and that the listing was a mistake.

PestPatrol could not immediately be reached for comment.

 

[ferrarif50]

Microsoft security bulletin [ADVISORY]

Microsoft issues seven security bulletins, two 'critical'

Microsoft issues seven security bulletins, two 'critical'
By Bill Brenner, News Writer
13 Jul 2004 | SearchSecurity.com


An attacker could gain remote control of machines and cause trouble using a variety of security holes Microsoft outlined in seven bulletins yesterday. The software giant said two of them are "critical" and affect several popular products. Information security experts urge people to install the patches immediately.

"My advice to users is to install all the patches and do it early," said David Perry, global director of education for Cupertino, Calif.-based IT security firm Trend Micro Inc. "The critical updates look to be the most serious. But there are a lot of deep security issues in these bulletins and you can never tell which vulnerability someone will choose to exploit. You could patch the critical ones and then the attack could come through the vulnerabilities considered the least serious."

MS04-022 fixes a "critical" vulnerability in Windows Task Scheduler caused by an unchecked buffer.

"If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges," the advisory said. "However, user interaction is required to exploit this vulnerability. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges." Affected components are Internet Explorer 6 Service Pack 1 when installed on Windows NT 4.0 SP6a (Workstation, Server, or Terminal Server Edition). The following software is affected:

* Windows 2000 Service Packs 2 through 4
* Windows XP and XP Service Pack 1
* Windows XP 64-Bit Edition Service Pack 1

MS04-023 fixes a vulnerability in HTML Help that occurs because the program does not completely validate input data. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take control of affected machines. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges, the advisory said. Affected components are the same as the threat in MS04-022. The following software and server programs are affected:

+ Windows 2000 Service Packs 2 through 4
+ Windows XP and XP Service Pack 1
+ Windows XP 64-Bit Edition Service Pack 1
+ Windows XP 64-Bit Edition Version 2003
+ Windows Server 2003
+ Windows Server 2003 64-Bit Edition
+ Windows 98, 98 Second Edition (SE), and Millennium Edition

"These are very critical vulnerabilities and users should install the updates as soon as possible," said Oliver Friedrichs, senior manager of security response for Symantec. "We've seen widespread attacks within weeks of past bulletins for similar flaws. It took only 17 days for Sasser to follow a bulletin. These updates are easy, and there's really no reason to put them off."

Of the five remaining bulletins, four were rated as important and one as moderate.

MS04-019 is rated "important" and resolves a privilege elevation vulnerability that exists in the way Utility Manager launches applications. A logged-on user could force Utility Manager to start an application with system privileges and could take complete control of the system.

MS04-020 describes an "important" privilege elevation vulnerability in the POSIX operating system component an attacker could use to take over a machine.

MS04-021 addresses an "important" a buffer overrun vulnerability in Internet Information Server 4.0 that could allow remote code execution on an affected system.

MS04-024 fixes an "important" remote code execution vulnerability in how the Windows Shell launches applications.

MS04-018 fixes a "moderate" denial-of-service vulnerability in Outlook Express caused by a lack of robust verification for malformed e-mail headers. If a user running Outlook Express receives a specially crafted e-mail message, the program fails. If the preview pane is enabled, the user must manually remove the message, and then restart Outlook Express to resume functionality. This update also changes the default security settings for Outlook Express 5.5 Service Pack 2.

*searchsecurity.techtarget.com

 

[ferrarif50]

Firefox Browser Fixes Security Flaw [VULNERABILITY]

A new version of the Mozilla Firefox browser fixes a flaw that made users vulnerable to online fraud. The flaw allowed fraudsters to set up fake Web sites with names indistinguishable from legitimate companies.

More info can be found at :
*story.news.yahoo.com/news?tmpl=sto..._hi_te/techbits_browser_security&sid=95573501

 

[ferrarif50]

OS X Security Update Fixes Phishing Flaw

Apple has released a security update to Mac OS X Panther that patches a vulnerability in the Safari browser.

Security Update 2005-003 includes the following components: AFP Server; Bluetooth Setup Assistant; CoreFoundation; Cyrus SASL; Folder permissions; Safari and Samba; but most importantly, it includes a script for preventing phishers from fooling users of its Safari browser.

More info can be found at :
*www.macworld.co.uk/news/index.cfm?RSS&NewsID=11134

 

[ferrarif50]

New Sober variant in the wild [EMAIL SECURITY ALERT]

Several antivirus firms have spotted a new variant of the Sober worm in the wild, hiding in e-mails with English and German text.

According to Cupertino, Calif.-based Symantec, W32.Sober-J is a mass-mailer that uses its own SMTP engine to send itself to e-mail addresses it gathers from the computers it infects. "The subject of the e-mail varies and is in either English or German," the company said in its advisory. "The e-mail sender address is spoofed. The name of the e-mail attachment varies, and it has a .bat, .com, .pif, .scr or .zip file extension. The attachment may also have a double extension. This threat is written in the Microsoft Visual Basic programming language and is compressed with UPX."

Finnish security firm F-Secure Corp. said Sober-J was seeded in e-mails Jan. 31 and is "quite similar to the previous variants." While most AV companies consider it a low risk, Santa Clara, Calif.-based McAfee said it has seen enough activity to issue a medium-threat alert.

What it looks like
If the worm sends infected messages to domains with suffixes ".de," ".ch," or ".at," it composes a message in German. Otherwise, an English message is made.

In English, the subject line is: I've got YOUR email on my account!!

The body of the e-mail reads: "Hello, First, Sorry for my very bad English! Someone send your private mails on my email account! I think it's an Mail-Provider or SMTP error. Normally, I delete such emails immediately, but in the mail-text is a name & address. I think it's your name and address. The sender of this mails is in the text file, too. In the last 8 days i've got 7 mails in my mail-box, but the recipient are you, not me. Lol. OK, I've copied all email text in the Windows Text-Editor and i've zipped the text file with WinZip. Bye." The attached file is either "email_text.zip" or "text.zip."

E-mail addresses are harvested from files with the following extensions on the victim's machines: abc; abd; abx; adb; ade; adp; adr; asp; bak; bas; cfg; cgi; cls; cms; csv; ctl; dbx; dhtm; doc; dsp; dsw; eml; fdb; frm; hlp; imb; imh; imh; imm; inbox; ini; jsp; ldb; ldif; log; mbx; mda; mdb; mde; mdw; mdx; mht; mmf; msg; nab; nch; nfo; nsf; nws; ods; oft; php; phtm; pl; pmr; pp; ppt; pst; rtf; shtml; slk; sln; stm; tbb; txt; uin; vap; vbs; vcf; wab; wsh; xhtml; xls; and xml.

source: searchsecurity.com

 

[ferrarif50]

Security holes in Linux kernel

Attackers could exploit security holes in the Linux kernel to cause a denial of service, corrupt memory and launch malicious code. But users can update to a newer version in which the flaws are fixed.

Danish security firm Secunia described three "moderately critical" vulnerabilities in an advisory:

An error in ROSE due to missing verification of the ndigis argument of new routes;
A user with permission to access a SCSI tape device can send certain commands that could render the device unusable for other users; and
Unspecified glitches in the ISO9660 file system handler, including the Rock Ridge and Juliet extensions, could be exploited by a specially crafted file system to cause a denial of service or memory corruption, which could then allow the attacker to launch malicious code.

Secunia said these issues specifically affect Linux Kernel 2.6 and that the vulnerabilities are fixed in version 2.6.12-rc1.

More information is available at Kernel.org

 

[ferrarif50]

Microsoft patches 18 flaws

Microsoft issued patches to close 18 security holes in Internet Explorer, Windows, MSN Messenger, Exchange and Office. But this month's batch doesn't address recently discovered problems in the software giant's popular browser, e-mail and database programs.

"None of the recent vulnerabilities are fixed this month, but I didn't expect them to be fixed, either," said Mike Murray, director of vulnerability and exposure research for San Francisco-based security firm nCircle.

One of those vulnerabilities, discovered by the security research organization HexView, is in Microsoft's Jet Database Engine. Attackers could use a memory handling error in the program to launch malicious code. Danish security firm Secunia said the flaw is "highly critical" because exploit code has been posted to a public mailing list. Secunia confirmed the vulnerability on a fully patched system with Microsoft Access 2003 and Windows XP SP1/SP2.

Also unaddressed this month are two vulnerabilities in Internet Explorer and Outlook brought to light by Aliso Viejo, Calif.-based eEye Digital Security. The first "allows malicious code to be executed, contingent upon minimal user interaction," eEye said, adding that the problem affects Internet Explorer, Outlook and "additional miscellaneous titles." The second vulnerability has the same damage potential and also affects IE and Outlook.

Attackers could use "important" Windows shell and "moderate" message queuing vulnerabilities to launch malicious code, Microsoft said. They could also exploit "important" vulnerabilities in the Windows kernel as well as "critical" Transmission Control Protocol/Internet Protocol (TCP/IP) validation and reset flaws to gain escalated privileges, launch code and cause a denial of service.

A cumulative update for Internet Explorer closes "critical" security holes attackers could use to take over machines and install programs; view, change or delete data; and create new accounts with full user rights, Microsoft said.

"A lot of people use Internet Explorer, and exploits could occur just by browsing," Sutton said. "It's not difficult to exploit. And the TCP/IP flaws are something to pay attention to, because supposedly you can take a malformed IP packet and execute code. This puts a lot of [Windows] boxes in danger, especially in an enterprise setting."

Murray said code execution in the IP stack has the potential to be "super serious."

"All Windows boxes have an IP stack, so you're talking about something that's widely deployed," he said. "This is something that could be easily exploited."

Other fixes

Microsoft fixed another "critical" flaw that could let an attacker connect to the Simple Mail Transfer Protocol (SMTP) port on an Exchange server. A specially-crafted command could then be used to cause a denial of service or allow the attacker "to run malicious programs of their choice in the security context of the SMTP service," the company said.

A "critical" update for MSN Messenger fixes a security hole attackers could exploit to take over affected machines.

Finally, a "critical" update for Microsoft Word and Office fixes buffer overrun vulnerabilities an attacker could exploit to launch malicious code.

Microsoft also re-released two earlier bulletins. The first, originally issued in January, addresses two critical flaws in how cursor, animated cursor and icon formats are handled.

The second re-release, originally from February, fixes a glitch in Media Player, Windows Messenger and MSN Messenger an attacker could also use to take control of vulnerable machines.

The patch release came on a day when the blocker to Microsoft's SP2 download program expired. As the Bethesda, Md.-based SANS Internet Storm Center put it in a Tuesday-morning Web site message, "The Automatic-Download of Microsoft XP Service Pack 2 may soon happen on your network if your organization has opted out of the original update and does not maintain [its] own SMS or SUS servers."


source: searchsecurity.techtarget

 

[ravimevcha]

gr8 going ............carry on.........

 

[ferrarif50]

Symantec Squashes Virus Detection Bypass Bug

Anti-virus vendor Symantec has released patches for a security vulnerability in several enterprise and consumer products that can be exploited to bypass scanning functionality.

In a public advisory posted last Wednesday, the company said an error in the Symantec Antivirus component that is responsible for processing encoded or archived content has the potential to be exploited through the use of a specially crafted .rar file.

Read the rest of this eWEEK story here:
*www.eweek.com/article2/0,1759,1790796,00.asp

 

[ferrarif50]

Netscape Upgrade May Not Fix Critical Flaw

AOL on Wednesday urged users of its Netscape Web browser to upgrade immediately to the latest beta version to protect against a potentially dangerous security vulnerability.
The flaw, which carries a "highly critical" rating from Secunia, has been confirmed in Netscape versions 6.x through 7.x.

Secunia did not release details on the vulnerability, but it appears to be the same GIF processing error that affected the Mozilla Foundation's Firefox browser

According to a previously released Mozilla advisory, the flaw exists in the way the obsolete Netscape Extension 2 parses GIF images, and can lead to an exploitable heap overrun.

In extreme cases, an attacker can use a specially crafted GIF image to exploit the bug and run arbitrary code on the victim's machine.


source : eweek.com

 

[ferrarif50]

Mozilla Firefox Two Vulnerabilities: Extremely critical

Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.

Release Date: 2005-05-08
Critical: Extremely critical
Impact: Cross Site Scripting,System access.
Where: From remote
Solution Status: Unpatched
Software: Mozilla Firefox 1.x

Description:
Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.
The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.

Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.

Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").

A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.

NOTE: Exploit code is publicly available.

The vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.

Solution: Disable JavaScript.

source: *secunia.com/advisories/15292/

 

[Choto Cheeta]

maybe...... not to open this months digit DVD without updated KAV or updated NAV05.....

*www.thinkdigit.com/forum/viewtopic.php?t=20025

 

[ferrarif50]

Fedora Core 3 Update: pygtk2-2.4.1-fc3.1

---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-367
2005-05-11
---------------------------------------------------------------------

Product : Fedora Core 3
Name : pygtk2
Version : 2.4.1
Release : fc3.1
Summary : Python bindings for the GTK+ widget set.
Description :
PyGTK is an extension module for python that gives you access to the
GTK+
widget set. Just about anything you can write in C with GTK+ you can
write
in python with PyGTK (within reason), but with all the benefits of
python.

---------------------------------------------------------------------

* Fri May 6 2005 John (J5) Palmieri - 2.4.1-fc3.1

- Update to fix bug #14423


---------------------------------------------------------------------
This update can be downloaded from:
*download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

*www.redhat.com/mailman/listinfo/fedora-announce-list

For more:
*www.linuxsecurity.com/content/view/119106/102/

 

[ferrarif50]

Microsoft Security Bulletin MS05-024

Vulnerability in Web View Could Allow Remote Code Execution (894320)

A script injection vulnerability exists in Web View while handling file attributes, which allows remote code exceution.

Affected Software:

• Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4
• Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) – Review the FAQ section of this bulletin for details about these operating systems.

Executive Summary:

This update resolves a newly-discovered, public vulnerability. A remote code execution vulnerability exists in the way that Web View in Windows Explorer handles certain HTML characters in preview fields. By persuading a user to preview a malicious file, an attacker could execute arbitrary code in the context of the logged on user. The vulnerability is documented in the “Vulnerability Details� section of this bulletin.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. However, user interaction is required to exploit this vulnerability

*www.microsoft.com/technet/security/bulletin/MS05-024.mspx

 

[ferrarif50]

Firefox Suffers 'Extremely Critical' Security Hole

The Firefox Web browser has two unpatched security holes that could
allow an attacker to take control of a user's computer system, security
researchers have warned.

Firefox has two unpatched security holes that could allow an attacker to take control of a user's computer system, and exploit code is already circulating on the Internet, security researchers have warned.
A patch is expected shortly, but users can protect themselves in the meantime by switching off JavaScript. In addition, the Mozilla Foundation said it has now made the flaws effectively impossible to exploit by changes to the server-side download mechanism on the update.mozilla.org and addons.mozilla.org sites, according to security experts.

The flaws were confidentially reported to the Foundation on May 2. But by Saturday details had been leaked and were reported by several security organizations, including the French Security Incident Response Team (FrSIRT).

Danish security firm Secunia marked the exploit as "extremely critical", its most serious rating, the first time it has given a Firefox flaw this rating.

In recent months, Firefox has picked up market share from Microsoft's Internet Explorer, partly because it is considered less vulnerable to attacks. However, industry observers have long warned that part of the reason the browser is more secure is because it has a relatively small user base. As Firefox's profile grows, attackers will increasingly target the browser.

The exploit, discovered by Paul of Greyhats Security Group and Michael "mikx" Krax, makes use of two separate vulnerabilities. An attacker could create a malicious page using frames and a JavaScript history flaw to make software installations appear to be coming from a "trusted" site. By default, Firefox allows software installations from update.mozilla.org and addons.mozilla.org, but users can add their own sites to this whitelist.

The second part of the exploit triggers software installation using an input verification bug in the "IconURL" parameter in the install mechanism. The effect is that a user could click on an icon and trigger the execution of malicious JavaScript code. Because the code is executed from the browser's user interface, it has the same privileges as the user running Firefox, according to researchers.

The Mozilla Foundation said it has protected most users from the exploit by altering the software installation mechanism on its two whitelisted sites. However, it warned that users may be vulnerable if they have added other sites to the whitelist.

"We believe this means that users who have not added any additional sites to their software installation whitelist are no longer at risk," the Mozilla Foundation said in a statement published on Mozillazine.org.

Source: *www.computerworld.com/securitytopi...801,101624,00.html?source=NLT_ES_B&nid=101624

 

[ferrarif50]

Security Bytes: New flaw in Windows XP, server products

Versions of Windows XP and Server 2003 contain a flaw attackers could use to cause a denial of service, French security firm FrSIRT said in an advisory.

The vulnerability is in the Windows IPv6 TCP/IP stack when processing a specially crafted packet in which the SYN flag is set and the source address and port are the same as the destination address and port. A remote user could exploit this vulnerability to launch a LAND attack, which would cause a vulnerable system to crash.

Microsoft patched a variant of this flaw in April, FrSIRT said. The problem specifically affects Windows XP, XP SP1, XP SP2, Server 2003 and Server 2003 SP1. FrSIRT recommends users filter all traffic with a firewall. The organization said it is "not aware of any official supplied patch for this issue."

Src: searchsecurity.techtarget.com

 

[ferrarif50]

Security holes plague Linux kernel

French security firm FrSIRT reports in a new advisory that the Linux kernel contains "multiple vulnerabilities" attackers could use to cause a denial of service and launch malicious commands.

"These flaws are due to input validation errors in the raw device and pktcdvd block device ioctl handlers when processing specially crafted arguments passed to the 'raw_ioctl(),' 'pkt_ioctl()' and 'ioctl_by_bdev()' functions, which may be exploited by malicious users to execute arbitrary commands with kernel privileges," the advisory said. Linux Kernel version 2.6.11.9 and prior are affected. Users are advised to switch to version 2.6.11.10 via the Linux kernel Web site.

 

[ferrarif50]

Flaw in Intel's hyperthreading technology

An attacker could use a glitch in Intel Corp.'s hyperthreading technology to steal security keys from a compromised server using a sophisticated timing attack, a researcher said Friday in a paper presented at the BSDCan 2005 conference. According to a report from the IDG News Service, hyperthreading allows software to take advantage of unused execution units in a processor. It essentially allows two separate processes, or software threads, to execute on a single processor at the same time, improving performance on software written to take advantage of the technology. By taking advantage of the fact that the processes share access to a chip's cache memory, an attacker can determine the security keys to a particular computer by monitoring the cache for those keys, said Colin Percival, an independent researcher. Intel and several software companies are working to fix for the problem, but they don't consider it critical, an Intel spokesman told the news service.

Src: searchsecurity.techtarget.com

 

[ferrarif50]

KDE Linux users still at risk from flaw

Linux users who patched their systems for a serious security vulnerability in K Desktop Environment last month will have to patch once again, because of errors in the original patch, according to the KDE project.

The vulnerability affects kdelibs, specifically an error in the kimgio component when processing PCX image files. Kimgio is used in KHTML-based Web browsers as well as KDE imaging applications such as kpresenter and ksnapshot, meaning that if an image crafted to exploit the flaw were viewed in any of these applications, they could allow an attacker to execute malicious code and take over a system. The flaw affects KDE Versions 3.2 to 3.4, according to KDE.


The patches issued last month fixed most of the problems but still allowed local users to exploit the bug by serving files from the /tmp directory, KDE said in an advisory. They also introduced a new bug, breaking kimgio's compatibility with .rgb images.


The problems will mean a fresh round of patching for Unix-derived systems using KDE, one of the two most popular desktop environments for Unix and Linux. KDE released a new patch fixing the problems with the original patch, and operating system vendors such as Red Hat and SUSE have followed suit this week.


Software vendors are under pressure to deliver timely patches, but faulty updates are not unknown as a result, say security experts. This week, for instance, Microsoft re-released a critical security update after it caused networking problems for many users.


Such problems can mean a major headache for system administrators, but they seem to be on the wane, according to Thomas Kristensen, chief technology officer at Danish security firm Secunia. "Generally speaking, I'd say that most vendors have improved significantly over the last two years when it comes to quality testing of their security fixes," he said.

Source: *www.computerworld.com/softwaretopics/os/story/0,10801,101858,00.html?source=NLT_LIN&nid=101858

 

[ferrarif50]

Latest Sober worm sends German spam

E-mail users perplexed by the barrage of German-language spam waiting in their in-boxes this morning can blame the latest version of the Sober mass-mailing worm, which began rapidly spreading over the weekend.
Sober.q uses both German- and English-language messages to direct recipients to Web sites with right-wing German nationalistic content, according to an advisory from e-mail security company MX Logic Inc. in Englewood, Colo. One of the URLs points to the Web site of the right-wing German National Democratic Party, the security firm said.

MX Logic said that it had seen over 125,000 instances of Sober.q overnight Saturday and into Sunday and labeled it as a high-severity threat. The variant is downloaded by computers already infected by the Sober.p worm, which began circulating earlier this month, MX Logic said. The virus writers appear to have remote control over the Sober.p-infected machines , giving them a network from which to launch future spam and denial-of-service attacks.

The latest Sober variant is one of a relatively new type of "propaganda spam," meant to spread political messages rather than sell a product or service, MX Logic said. Circulation of the worm coincides with ceremonies marking the 60th anniversary of the end of World War II in Europe and examples of subject lines it sends include "Dresden 1945" and "Du wirst zum Sklaven gemacht!!!" ("You are made slaves!!!").

"We are certainly seeing more propaganda spam," said Graham Cluley, a senior technology consultant at Sophos PLC. Security researchers began detecting religious spam selling a particular view of life last year, Cluley said.

Although Sophos is seeing a lot of German-language spam sent by the new Sober variant, the worm itself doesn't appear to be spreading anymore, Cluley said.

E-mail users are advised to update their spam filters to guard against the new Sober spam.

Source: *www.computerworld.com/securitytopi...0801,101760,00.html?source=NLT_VVR&nid=101760